FROM CACHE - en_header

API Webhook IP whitelist?

Josh_Larsen
Shopify Partner
7 0 0

Hello,

I'm trying to setup a callback server to handle the shopify webhooks I create in my app and need to know the possible list of IP's that Shopify will be calling back from so I can setup some firewall rules. Is that list published anywhere?

Replies 4 (4)
Chris_Saunders
Shopify Staff
Shopify Staff
591 0 52

No.

Validate your webhooks and then it doesn't matter.

Chris | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Josh_Larsen
Shopify Partner
7 0 0

So you're telling me that it doesn't matter if I let the entire world into our internal testing web servers? I beg to differ on this point. Usually API callback systems that do calls out to their clients offer a whitelist for security reasons (ie. Salesforce, Zuora, etc). The whitelist is not about authorizing or authenticating the call, it's about not having to expose our web port to just anyone in order to received a callback from a specific company.

Chris_Saunders
Shopify Staff
Shopify Staff
591 0 52

We don't guarantee what IPs webhooks will come from, no.  The current IP(s) aren't likely to be changed soon / often, but we don't recommend locking to those IPs and we don't currently support doing that, nor do we provide notice if they change.

Chris | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Josh_Larsen
Shopify Partner
7 0 0

Thanks for the info Chris. While not ideal, we will make adjustments to compensate.