CarrierService callback_url authentication

brendonparker · August 21, 2023, 1:34am

For the CarrierService callback_url, looking for the recommended way to verify the requests coming in on my callback_url are from Shopify. I tried using:

export async function action({ request }) {
    const { } = await authenticate.webhook(request);

    return json({ ... })
};

But that gave a 400 error.

I see there is a signature header: x-shopify-hmac-sha256

Is that the recommended mechanism to verify the authenticity of the request? Anything in the shopify-api-js lib I can use the validate this, or do I have to hand-write something?

Certainly this isn’t expected to be a purely public API allowing just anyone to call it - what am I missing?

gsmaverick · August 25, 2023, 11:46pm

In the case of CarrierService you only need to verify the HMAC signature which is available via a helper method in shopify-api-js’ utils. Any request that doesn’t verify you would deny since it wouldn’t be a genuine Shopify request.

Topic		Replies	Views
FulfillmentService -> callback_url How are you handling authentication? Fulfillment Api	3	106	May 26, 2024
Received incorrect secret key or hmac Graphql Basics And Troubleshooting	4	74	June 10, 2023
Not able to verify the shopify HMAC code Technical Q&A troubleshooting	0	34	March 5, 2026
App must verify the authenticity of the request from Shopify Shopify Apps	1	24	November 21, 2022
Error Verify Webhooks In Node.js - AWS Lambda Technical Q&A discounts , apps	0	28	February 16, 2022

CarrierService callback_url authentication

Related topics