how to authenticate Shopify webhook for my backend application

Technical Q&A

Topic summary

  • Central issue: A .NET backend exposing an endpoint for Shopify webhooks currently enforces authentication ([Authenticate]). The poster asks how to authorize and verify requests that originate from Shopify so the webhook calls aren’t rejected.

  • Context: When calling Shopify REST endpoints from a third-party app, authorization is required. Conversely, Shopify will initiate webhook calls to the backend endpoint, which will fail without authorization under the current setup.

  • Evidence/attachments: A screenshot of the webhook creation response in Shopify is included, but it doesn’t provide technical details on verification. A brief code snippet indicates the endpoint is protected.

  • Status: No solution provided yet; the question remains open. Key unanswered items: the method to validate Shopify as the sender and how to configure endpoint authentication to allow legitimate webhook requests.

Summarized with AI on February 12. AI used: gpt-5.
1

I am working on a dotnet application on the backend to manage inventories and the Shopify store to manage orders.

Calling a Shopify REST endpoint from a third-party application forces us to do authorization but when Shopify calls my application endpoint how can I authorize and verify them?

[Authenticate]
some endpoint () {
    // this endpoint is exposed for the Shopify webhook.
}

This is the response return when creating a webhook on Shopify.

Shopify webhook response
Shopify webhook response1048×960 100 KB

Now when this webhook will trigger it will hit my endpoint and without authorization, it will fail.

How can I authorize this webhook?