Hi @garyrgilbert ,
The value of the X-Shopify-HMAC-Sha256 HTTP header is expected to be different for each HTTP request, and redirect. You can use your app’s shared secret/secret key (not the API key) to validate the HMAC, to verify each request and webhook.
I’ve recently created a small library to help verify Shopify HMACs here: https://github.com/shopstack-projects/shopstack-security-hmac. I hope the examples and source code are helpful to you.
Questions and feedback welcome! 