Why we don't need to verify the webhook when using google pub/sub?

manit4c · September 28, 2022, 10:25am

Hi,

i’ve followed this two tutorial to create register and use a webhook :

https://shopify.dev/apps/webhooks/configuration/google-cloud#google-cloud-pub-sub-message-structure

https://www.youtube.com/watch?v=m9MQyRWnMdU

In the first one they say : “unlike with an HTTP webhook, you don’t need to perform HMAC verification”

I don’t understand why, no verification is needed !

How, can i be sure that is shopify who call my google pub/sub route registered in the webhook and not another person with bad intention ?

Can someone help me understand this ?

phase0 · November 27, 2022, 2:52pm

You gave Shopify’s service account explicit permission to trigger your webhook. Only systems with access to that Service Account (which is Shopify) can authenticate using that service account.

Read more about Google’s service accounts:

https://cloud.google.com/iam/docs/service-accounts

Topic		Replies	Views
Cannot get pubsub webhook to work Shopify Apps troubleshooting , webhooks	2	35	December 21, 2025
Is verifying a webhook with HMAC-SHA256 necessary for different brand stores? Technical Q&A	1	29	July 27, 2022
Is Webhook Verification still needed when using Shopify.Webhooks.Registry.process() ? Technical Q&A	0	5	July 23, 2022
Failing at webhook HMAC verification step. Shopify Apps shopify-apps	1	103	August 25, 2024
Verify Shopify Webhooks for private apps Shopify Discussion	2	187	April 10, 2024

Why we don't need to verify the webhook when using google pub/sub?

Related topics