Webhook Verification Not Working

Shopify Partner
8 1 5


I'm trying to verify a webhook in my rails app according to the docs here: https://help.shopify.com/en/api/getting-started/webhooks

The code given in the docs does not seem to produce the same result as the HMAC header sent with the webhook. Are the docs outdated? What am I doing wrong here?


@data = request.body.read

calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', Rails.application.secrets.shared_secret, @data))

compare = ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, hmac_header)


Replies 3 (3)

Shopify Partner
8 1 5

Figured it out. Do NOT use your app's shared secret like the docs tell you to.

Use the signature string at the bottom of your webhooks creation interface.

Shopify Partner
1 0 0

I implemented it with nodejs and it was working with the client secret.

Here is the code snippet.


export function verifyWebhook (request: Request, response: Response, next: NextFunction): void {
    if (!clientSecret) {
        throw new Error('SHOPIFY_API_SECRET environment variable not set');
    const incomingHMAC = request.headers['x-shopify-hmac-sha256'];
    const digest = crypto.createHmac('SHA256', clientSecret).update(request.rawBody).digest('base64');
    if (incomingHMAC !== digest) {
    } else {
Shopify Partner
5 0 0

update 8/13/2023

Documentation still says use client secret. However, only thing worked for me was the hash string at the bottom of the create webhook section. Once I plugged that string in for the "Client Secret" everything validated.