Webhook verification fails: computed HMAC and the header signature are not matching

Webhook verification fails: computed HMAC and the header signature are not matching

Chemchampa
Shopify Partner
1 0 1

I've been developing an app using Flask web framework. It is meant to integrate my Shopify store with Xero. 

At the moment I'm struggling to solve the issue related to the verification of the webhook signature. It fails because the computed HMAC and the header signature are not matching.

 

Terminal output as it happens for evidence:

Raw Header Signature: 86WERikW27hQRPhAYNXOakrfLa82thuHFvAs3HNBOAI=
Computed HMAC: VCdBkD+VKE611BmTjTfikfSmK6cdyCRrIdFSO5xNnw8=
Header Signature: 86WERikW27hQRPhAYNXOakrfLa82thuHFvAs3HNBOAI=
127.0.0.1 - - [10/Apr/2023 18:53:41] "POST /webhook/order_create HTTP/1.1" 401 -


Here's what I've got:
- I'm using regular Shopify admin not the Shopify Partners (although I have the matching app set up here as well).
- I've checked maybe 10 times to confirm that my 'API key', 'API secret key', and 'Password' (API access token) are all correct.
- I'm using NGROK to allow Shopify to send webhook events to my local machine.
- I'm certain that the Callback URL I'm using in the webhook on Shopify matches the forwarding url generated by ngrok.
- API_SECRET -> I'm using the API Key secret from the API credentials on my regular Shopify admin.
- Here's a block from my code for reference:
webhook verification issues.png

 

I've tried so many different things already and nothing worked so far. I was wondering if there are any known issues with webhooks at the moment or if there are any recent changes in the way HMAC signatures are handled?

I was hoping that you might be able to provide more insights or help me troubleshoot the problem.

Thank you in advance!

Reply 1 (1)

Pcastro
Shopify Staff
15 0 4

Hello,

 

Sorry this is not working for you. No, we don't have any recent reported issues with webhooks or HMAC signatures.

In the past some devs have reported issues with custom integrations which ended up being related related to not using the proper client secret, extra quotes or payload encoding issues (see https://github.com/Shopify/shopify-api-js/issues/320 for example).

 

Let me ask you some questions, please, to see if I can help you further:

 

I see that your code is slightly different to what we suggest here: https://shopify.dev/docs/apps/webhooks/configuration/https#step-5-verify-the-webhook . Can I assume that you tried that and it didn't work either?

 

Also 


- I'm using regular Shopify admin not the Shopify Partners (although I have the matching app set up here as well).

Have you made sure that you're using the client secret as set in Partners for your app? (be careful with leading or trailing spaces)

 

An extra check to validate the secret, a good tip could be to create an app using Shopify's CLI https://shopify.dev/docs/apps/getting-started/create, link it to your existing app and try a basic webhook delivery to see if, with the standard template and last version of ShopifyAPI libraries, the integration works for you.

 

Best regards,

Paco | Developer @ Shopify

 

To learn more visit the Shopify Help Center or the Community Blog.