Placement of webhook HMAC verification in a PHP app built with the Shopify CLI template. The author implemented verification following Shopify’s HTTPS webhook docs (link provided).
Key question: Whether to perform HMAC verification directly in a single webhook handler, or define separate routes for each mandatory webhook and verify within their respective controllers.
Scope: Concerns application structure and best practice for verifying Shopify webhook authenticity in PHP.
Artifacts: No code shared; the referenced Shopify documentation is central to the implementation approach.
Status: No answers or consensus yet; the thread remains open with the architectural decision (centralized vs per-route verification) unresolved.
Hello, I have used CLI PHP app template. I have implement the PHP logic to verify hmac in webhook’s handle using this link : https://shopify.dev/docs/apps/webhooks/configuration/https