Back to home

Shopify HMAC Verification

Verify Shopify webhooks using the X-Shopify-Hmac-Sha256 header and the raw body.

Last updated: 2026-06-24

Shopify signs webhook requests with a base64 HMAC in X-Shopify-Hmac-Sha256. As with other providers, the verification must use the exact raw body.

Verification steps

  1. Read the raw payload.
  2. Read X-Shopify-Hmac-Sha256.
  3. Compute HMAC_SHA256(secret, payload) and encode it as base64.
  4. Compare the computed value with the header.

Example

const expected = createHmac('sha256', secret)
  .update(payload, 'utf8')
  .digest('base64');

Common mistakes

  • Comparing hex output with a base64 header
  • Parsing the body before verification
  • Forgetting to rotate old webhook secrets

FAQ

Which header contains the signature?

X-Shopify-Hmac-Sha256.

What else should I log for debugging?

Log the topic, shop domain, and verification result, not the secret itself.

WebhookPilot includes a built-in Shopify verification tool in the event dashboard.