Can't get to match my webhook hashes

Shopify Apps

Topic summary

A developer is experiencing issues validating Shopify webhook signatures using the GraphQL API. They’re attempting to verify webhooks by:

Current Implementation:

  • Extracting the x-shopify-hmac-sha256 header from incoming requests
  • Creating an HMAC hash using their Admin API Secret Key from the “Develop apps” section
  • Hashing the raw request body with SHA256
  • Comparing the generated hash against the webhook header using crypto.timingSafeEqual

The Problem:
The generated hash doesn’t match the hash provided in the webhook header, preventing successful validation.

The code snippet shows they’re using Node.js crypto module with base64 encoding for the digest. The issue remains unresolved with no responses yet addressing potential causes like incorrect secret key usage, body parsing issues, or encoding mismatches.

Summarized with AI on November 1. AI used: claude-sonnet-4-5-20250929.
1

Hi there, I’m making my webhooks from GraphQL api and trying to check the validity of the webhook but I can’t get them to match together.

Here is how I proceed:

const hmac = req.headers["x-shopify-hmac-sha256"];
const hash = crypto.createHmac("sha256", shop.adminToken).update(req.rawBody, "utf8", "hex").digest("base64");

if (crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(hmac))) {
	console.log("...");
}

shop.adminToken is my “Develop apps” Admin API Secret Key (so the one also used for creating the admin api instance that created the webhook).