Webhook HMAC verification for a Shopify app is failing in Node.js despite using the correct app secret. The code computes an HMAC-SHA256 over JSON.stringify(context.params) and Base64-encodes it, but the resulting value does not match Shopify’s expected signature. The request body is being read from context.params, and the unresolved question is why hashing that JSON string leads to a verification mismatch (likely due to not using the raw request body).
Hello
I am trying to validate webhook hmac verification with just nodejs but always getting verification failed. I am passing valid app secret key.
this is how my code looks
var hmacByCrypto = crypto
.createHmac(‘sha256’, client_secret)
.update(JSON.stringify(context.params))
.digest(‘base64’);
I am receiving body in context.params field