Hi – I create a new webhook (order payment event) via the API. Do I use my Shopify “shared_secret” to validate the “X-Shopify-Hmac-SHA256” token passed in the header of the request? I am using .Net to validate the token – does anyone have sample .Net validation sample code?
You are correct in that you use the shared_secret as set in your partner dashboard to validate the HMAC. In the example, `data` is the stringified JSON, and the actual values being compared are the Base64 representations of the HMAC, so make sure you encode your HMAC as Base64 before comparing.
Alex | Shopify - Was my reply helpful? Click Like to let me know! - Was your question answered? Mark it as an Accepted Solution - To learn more visit the Shopify Help Center or the Shopify Blog