Shopify Flask app request not sending HMAC parameter

Retired Boards Appdev Authentication

Topic summary

A developer is building a Shopify app using Flask that integrates with Facebook. After Facebook redirects to the Shopify callback route, the HMAC parameter required for request verification is missing from the URL.

Current situation:

  • The callback URL contains only code and state parameters
  • No hmac parameter is present, causing validation to fail
  • The error page displays garbled text including encoded characters and reversed strings
  • Logging shows the hmac_signature variable equals “None”

Key challenges:

  • Shopify’s official documentation lacks Flask-specific guidance for app development
  • The developer has sought help on StackExchange and other forums for 3 days without responses
  • Uncertainty about whether the implementation is incorrect or if Shopify sends different response formats

Status: The issue remains unresolved. The developer is questioning whether HMAC verification is particularly difficult to work with and wants to continue development but is blocked by this authentication problem.

Summarized with AI on November 10. AI used: claude-sonnet-4-5-20250929.
1

Building this Shopify app with Flask that interfaces with Facebook, but when Facebook redirects me through the callback I’m not getting an HMAC parameter for verification.

This is the validation function:

def is_valid_request(params, hmac_signature):

parsed_params = dict(parse_qsl(params, keep_blank_values=True))

# Remove the hmac parameter
parsed_params.pop('hmac', None)

# Reconstruct the query string without the hmac parameter
msg = urlencode(sorted(parsed_params.items()))

# Create a new HMAC and verify it against the provided value
hmac_calculated = hmac.new(SHOPIFY_API_SECRET.encode('utf-8'), msg.encode('utf-8'), hashlib.sha256).hexdigest()

if hmac_signature is None:
print("hmac_signature is None.")
return False

return hmac.compare_digest(str(hmac_calculated), str(hmac_signature))

And this is the section of the Shopify callback that handles HMAC verification:

@app.route('/shopify/callback', methods=['GET'])
def callback():
shop = request.args.get('shop')
code = request.args.get('code')
hmac_signature = request.args.get('hmac')
# Validate the HMAC signature
params = request.query_string.decode("utf-8")
# Ensure the request is from Shopify

if not is_valid_request(params, hmac_signature):
print(is_valid_request(params, hmac_signature))
return str("Invalid signature"), 403

After connecting with Facebook, it redirects to the Shopify callback route and shows a page that says “Invalid signature”. I tried logging the signature to see what it looked like it was equal to “None”. Printing out params variable shows a long string of text which I assume is supposed to have the HMAC parameter, but the only readable English is code= and state= followed by a bunch of random numbers and letters.

Am I doing something wrong? Should there be a different response from Shopify? There’s no documentation in the Shopify dev docs on using Flask to build an app, so finding solutions is a little tough.

The full callback URL very clearly has two parameters that I can see: the code parameter and the state parameter. There is no HMAC parameter, like there should be.

Here is a URL redirect I get from the callback function:

https://appurl.com/shopify/callback?code=AQBKkiaVmjmD7HYsZ7CUz8cOvn8V_GSR3VzGsdLyOO419dG4p3qAajSzFrqO5sHAiMCcd1jfA-QbMBfSg_--oAFRNvNBQXhYOUJQoLcQRmT_SNxLnLvS5TyUlMG6fNip6xdhB44Md3mASORuDYOmFJ39jZvigUi9zfvTPsmMNXFmj8Df0JKtLJmm7lON7mvMqNMMGNC3fMHM8OY2dMHSR2U0HYN9NUci19zNGAJ3L0imOUhD4UXCTocRdUJLMxjkJYy7kO-bB1FG2fVVt13J8XLNy2BTZpHzvV-GPK-f8kXVQlUtUUmBfQfnynbtZss2VFxtpDjt0OMJs5Q4XNJix1UToUQ5OjzCHb1zMCfrpPsZ1phDmjo_BvAAMzsOb8HXp4O&state=b%27Xa%5Cx8d%5Cx91%5Cx88%5Cxf7%5Cx00%5Cxc4%5Cxa4V%5Cx00%5Cxf0%5Cx18%5Cxb6%5Cx8f%5Cxab%5Cxb1Z%60%5Cxdb4%5Cx01X%5CxO9%27#_=_

As you can see, the code parameter and state parameter can be seen here, but there’s no hmac parameter.

1 Like
2

I’ve tried reaching out to a number of places for support, including StackExchange and other forums and nobody has replied in the past 3 days. Is HMAC verification really this difficult to work with? I just want to be able to continue development on my app, but there’s no documentation on specifically using Flask in the official Shopify Docs.