We are creating web-hooks using the Admin API and not the dashboard.
What is the “shared secret” in this case?
We have tried the “client_secret” of the app created but it has failed to work.
This is our java code:
final String hmac = httpServletRequest.getHeader("X-Shopify-Hmac-SHA256");
final String body = IOUtils.toString(httpServletRequest.getInputStream(), StandardCharsets.UTF_8);
SecretKeySpec signingKey = new SecretKeySpec(SECRET.getBytes(), ALGORITHM);
Mac mac = Mac.getInstance(ALGORITHM);
mac.init(signingKey);
String generatedHmacBase64 = Base64.getUrlEncoder().withoutPadding().encodeToString(mac.doFinal(message.getBytes()));
S.O.P(hmac.equals(generatedHmacBase64)); // ALWAYS FALSE