Back to home

How to Inspect Shopify Webhook Payloads

Capture Shopify topics, inspect order or product payloads, and verify the X-Shopify-Hmac-Sha256 header.

Last updated: 2026-06-24

Shopify webhook debugging starts with a public endpoint that records the X-Shopify-Topic header, the raw body, and the X-Shopify-Hmac-Sha256 signature.

Steps

  1. Create a WebhookPilot URL.
  2. Register it in your Shopify app or store settings.
  3. Trigger an order, product, or customer event.
  4. Inspect the topic and payload shape.
  5. Verify the Shopify HMAC signature.

Example

curl -X POST "https://your-domain.com/hook/shopify-test" \
  -H "Content-Type: application/json" \
  -H "X-Shopify-Topic: orders/create" \
  -H "X-Shopify-Hmac-Sha256: test" \
  -d '{"id":1001,"email":"buyer@example.com","total_price":"29.00"}'

Common mistakes

  • Trusting the payload before HMAC verification
  • Dropping the topic header during debugging
  • Sharing customer data without redaction

FAQ

Which header tells me the event name?

X-Shopify-Topic identifies the topic, such as orders/create.

Which header contains the signature?

X-Shopify-Hmac-Sha256 contains a base64-encoded HMAC digest.

See Shopify HMAC verification for implementation details.