How to validate webhook created via REST API

Broono · December 5, 2023, 7:43pm

I have registered some webhooks via the REST API accessed using the Admin API access key from the custom developed app. (No partner, no OAuth). Which secret am I supposed to use to generate the webhook SHA256 for validation? I only have Admin API access token and API secret key, no Client Secret as mentioned in the docs.

Both the Admin API access token and API secret key generate different hashes.

Broono · December 5, 2023, 8:39pm

I am helpless. Any ideas?

Sunil-Kumar · December 6, 2023, 7:30am

Validate the HMAC from request header.

OvenGui · December 6, 2023, 7:39am

Hi,

you can try this code.By the way,the code dev with python.

the “data” args, is your request body with bytes.
the “hmac_header” from your request header with key “x-shopify-hmac-sha256”.

import base64
import hashlib
import hmac

def verify_webhook(data, hmac_header):
    digest = hmac.new({Use your secret key here}.encode("utf-8"), data, digestmod=hashlib.sha256).digest()
    computed_hmac = base64.b64encode(digest)
    return hmac.compare_digest(computed_hmac, hmac_header.encode("utf-8"))

Topic		Replies	Views
How can I correctly validate webhooks in my Shopify app? Shopify Apps	0	61	January 14, 2022
Can't get to match my webhook hashes Shopify Apps shopify-apps	0	10	January 24, 2025
Verify Shopify Webhooks for private apps Shopify Discussion	2	133	April 10, 2024
How to verify a webhook in PHP? Shopify Apps	0	76	June 16, 2022
Is verifying a webhook with HMAC-SHA256 necessary for different brand stores? Technical Q&A	1	24	July 27, 2022

How to validate webhook created via REST API

Related topics