Hello
We are facing a dilemma regarding the usage of any of Headers that Shopify passed during the callback to a Webhook. The list of generic headers (good for all topic) is documented well at at https://shopify.dev/docs/apps/build/webhooks. However, there are two significant issued with them:
-
The X-Shopify-Webhook-Id cannot be known by the application upfront because Shopify does not provide any specific API to retrieve that information during install. When the application registers the web hook with a store using the provided API (refer to webhookSubscriptionCreate ), upon success, it return the web hook as ‘gid://shopify/WebhookSubscription/1368875729053’. Yet, during the regular processing of the store when a callback is made for that topic, the value provided for the X-Shopify-Webhook-Id comes as ‘1abc012a-c7b1-4009-bd54-10f18ca4404b’. How can the application know that ‘1abc012a-c7b1-4009-bd54-10f18ca4404b’ is ‘gid://shopify/WebhookSubscription/1368875729053’ before the callback to validate?
-
The X-Shopify-Hmac-Sha256 cannot be calculated by the same application upfront because that header is based on Store Webhook secret. Any Store has its own such secret. How can an installed application obtain that secret from the Store using Shopify provided API?