Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
I've been working on creating some webhooks for my dev-shop. Unfortunately none of the test notifications contain X_SHOPIFY_HMAC_SHA256 in the header.
I'm getting only HTTP_X_SHOPIFY_TOPIC and HTTP_X_SHOPIFY_SHOP_DOMAIN. Nothing in the headers (i'm dumping the $_SERVER array in php) looks like the SHA.
Is that because of the dev-shop? Will it change with the real shop? For me it looks quite strange if this is not available to test with the dev shop?
Hope that somebody have faced similar issue and knows the answer!
HTTP_X_SHOPIFY_HMAC_SHA256 and HTTP_X_SHOPIFY_TOPiC is a goofy thing Rails/Rack does when pulling out HTTP headers.
Since you aren't using Rails the headers should be under "X-Shopify-Hmac-SHA256" and "X-Shopify-Topic" respectively. I think the docs cover this but if not I'll get that update appropriately.
Chris | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Hi Chris,
There is nothing like X-Shopify-Hmac-SHA256 in the header (taking into account all possible lower/higher case combinations).
Though I'm getting 'X-Shopify-Topic' and 'X-Shopify-Shop-Domain'.
Any idea why?
Is it a custom webhook endpoint that you created in the admin?
Chris | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Yes,
All I'm doing in that php script is:
ob_start(); var_dump($_SERVER); $output = ob_get_clean(); file_put_contents('output.txt', $output);
for god knows what reason, shopify have decided that webhooks created in the admin shouldn't be able to be validated. If you want to use the X-Shopify-Hmac-SHA256 to validate your webhook, you need to create the webhook through the API.
Webhooks created through the Admin don't have a key so they have no identifying information that can be used to generate the signature. That's why it's missing.
If you want you can use a private app and create webhooks that way. Also since they are scoped to the app they won't show up in the Admin and users won't be able to destroy them by mistake.
Chris | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Thank you Jared, Chris. That helps a lot!