Join us for an upcoming Shopify Partner webinar on February 27, 2024. Discover the latest Checkout Extensibility features, and deep dive on improvements to Shopify Functions and Web Pixels. Register now for either the 10am EST or 2pm EST sessions.

Webhook Validation

Garden_Variety
Shopify Partner
2 0 1

Hi – I create a new webhook (order payment event) via the API. Do I use my Shopify “shared_secret” to validate the “X-Shopify-Hmac-SHA256” token passed in the header of the request? I am using .Net to validate the token – does anyone have sample .Net validation sample code?

Replies 2 (2)

Alex
Shopify Staff
1561 81 341

I don't have a .Net code snippet to share, but the algorithm can be seen in Ruby and PHP here: https://help.shopify.com/en/api/getting-started/webhooks#verify-webhook

You are correct in that you use the shared_secret as set in your partner dashboard to validate the HMAC. In the example, `data` is the stringified JSON, and the actual values being compared are the Base64 representations of the HMAC, so make sure you encode your HMAC as Base64 before comparing.

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

developer_2020
Shopify Partner
60 0 7

Does anyone have the .NET code example?