FROM CACHE - en_header

Do I register for GDPR Hooks?

Shopify Partner
35 0 7


Im reviewing my GDPR hooks code against the Shopify tutorial -


One thing Im not clear on is whether I need register the mandatory hooks, or are they preregistered?


If I consider the server.js example in the above tutorial then would I expect an implementation like -

  • customers/redact - Requests deletion of customer data.
  • shop/redact - Requests deletion of shop data.
  • customers/data_request - Requests to view stored customer data.

Id expect the code to be -


      apiKey: SHOPIFY_API_KEY,
      scopes: ['read_products', 'write_products'],
      async afterAuth(ctx) {
        const { shop, accessToken } = ctx.session;
        ctx.cookies.set("shopOrigin", shop, { httpOnly: false });

        const registration = await registerWebhook({
          address: `${HOST}/webhooks/products/create`,
          topic: 'PRODUCTS_CREATE',
          accessToken, shop, apiVersion: ApiVersion.October19

        const registrationRedact = await registerWebhook({
          address: `${HOST}/webhooks/customers/redact`,
          topic: 'customers/redact',
          accessToken, shop, apiVersion: ApiVersion.October19
        await getSubscriptionUrl(ctx, accessToken, shop);

  const webhook = receiveWebhook({ secret: SHOPIFY_API_SECRET_KEY });'/webhooks/products/create', webhook, (ctx) => {
    console.log('received webhook: ', ctx.state.webhook);
  });'/webhooks/customers/redact', webhook, (ctx) => {
    console.log('received webhook: ', ctx.state.webhook);

Is this correct?


Replies 4 (4)
Shopify Partner
80 8 23

Hey 🙂


I just went through this recently myself. My understanding is that you cannot register the GDPR URLs in the same was as ordinary Shopify webhooks. You have to implement your own endpoints and provide the three URLs to Shopify when creating the app.


Even though they are custom URLs, the calls to them can still be validated to make sure they come direct from Shopify in the same way that webooks are validated.


Hope that helps! Let me know if I can clarify anything! 

Joshua Sarros - Freelance Web Developer from Melbourne, Australia
Shopify Partner
2 0 1
I am also currently reviewing my GDPR webhooks implementation of my app.

What I see is that Shopify already registered the webhooks as default and you need to provide your endpoints URL in the Shopify Partner -> App -> Your App -> App Settings.

Then Shopify will send a POST request to your those endpoints, but the caveat in this is that you can’t include the route for the endpoints in your Nodejs/Koa server (if you follow the tutorial) because there is no shop query and OAuth coming from Shopify.

I will try to create endpoints in a separate server/environment (planning on using google Cloud Functions) for this and see if it works.
Shopify Partner
35 0 7



I ended up writing a little script to generate the shopify checksum for my GDPR messages to allow me to test this


The advantage was that I could send multiple messages to the endpoint through a rest client so sped up development


I need to post the script or do a blog post

9 1 3

I'm still struggling to implement webhooks from the shopify koa sample application. 

Should I still use this pattern?


  const webhook = receiveWebhook({ secret: SHOPIFY_API_SECRET });"/gdpr/shop/redact", webhook, (ctx) => {
    console.log("received webhook: ", ctx.state.webhook);
    ctx.body = { message: "No shop data is stored" };