New Shopify Certification now available: Liquid Storefronts for Theme Developers

Webhook Validation

Garden_Variety
Shopify Partner
2 0 1

Hi – I create a new webhook (order payment event) via the API. Do I use my Shopify “shared_secret” to validate the “X-Shopify-Hmac-SHA256” token passed in the header of the request? I am using .Net to validate the token – does anyone have sample .Net validation sample code?

Replies 2 (2)
Alex
Shopify Staff
Shopify Staff
1561 81 340

I don't have a .Net code snippet to share, but the algorithm can be seen in Ruby and PHP here: https://help.shopify.com/en/api/getting-started/webhooks#verify-webhook

You are correct in that you use the shared_secret as set in your partner dashboard to validate the HMAC. In the example, `data` is the stringified JSON, and the actual values being compared are the Base64 representations of the HMAC, so make sure you encode your HMAC as Base64 before comparing.

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

developer_2020
Shopify Partner
60 0 7

Does anyone have the .NET code example?