API Webhook IP whitelist?

Josh_Larsen · ‎02-07-2014

Hello,

I'm trying to setup a callback server to handle the shopify webhooks I create in my app and need to know the possible list of IP's that Shopify will be calling back from so I can setup some firewall rules. Is that list published anywhere?

Chris_Saunders · ‎02-07-2014

No.

Validate your webhooks and then it doesn't matter.

Chris | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog

Josh_Larsen · ‎02-07-2014

So you're telling me that it doesn't matter if I let the entire world into our internal testing web servers? I beg to differ on this point. Usually API callback systems that do calls out to their clients offer a whitelist for security reasons (ie. Salesforce, Zuora, etc). The whitelist is not about authorizing or authenticating the call, it's about not having to expose our web port to just anyone in order to received a callback from a specific company.

Chris_Saunders · ‎02-07-2014

We don't guarantee what IPs webhooks will come from, no. The current IP(s) aren't likely to be changed soon / often, but we don't recommend locking to those IPs and we don't currently support doing that, nor do we provide notice if they change.

Chris | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog

Josh_Larsen · ‎02-07-2014

Thanks for the info Chris. While not ideal, we will make adjustments to compensate.

API Webhook IP whitelist?

Shopify Community

Support

Shopify

Quick Links