I’m submitting a Node.js embedded Shopify app and two automated checks are failing:
Provides mandatory compliance webhooks
Verifies webhooks with HMAC signatures
Auth flow works (install → redirects to embedded admin UI)
TLS is valid
App Bridge + session tokens working
Uses latest API version
Screenshot attached.
Stack / Setup
• Backend: Node + Express
• Shopify SDK: @shopify/shopify-api (with offline sessions)
• Webhooks mounted at: /webhooks/*
• Raw body captured using express.json({ verify })
• HMAC verification using crypto.timingSafeEqual
• Webhooks registered programmatically after install
Topics currently registering:
- APP_UNINSTALLED
- CUSTOMERS_DATA_REQUEST
- CUSTOMERS_REDACT
- SHOP_REDACT
Webhook test from Shopify Admin returns 200 and passes my local HMAC check, but Shopify’s automated checker still shows .
What I need help with
- Does Shopify require GDPR webhooks and APP_UNINSTALLED to pass the “Mandatory compliance webhooks” check?
- Does the checker look for exact topic names / URLs, or only subscription existence?
- Is there a delay before Shopify detects new webhook subscriptions (do I need to wait before clicking “Run test”)?
- Is there anything special required for webhook paths when using Express + rawBody? (e.g., mounting order)
If anyone has passed these two checks recently, a working example or checklist would really help.
Thanks in advance 
Hi @rahul_rudra,
The mandatory compliance webhooks are customers/data_request, customers/redact, and shop/redact.
They would be failing here due to the fact that you are registering them after app install, when they should be registered as App Specific Webhooks via your app’s toml configuration file, as described in the following Shopify.dev documentation:
Reviewing your app from the screenshot, I don’t see these webhooks subscribed via your app’s configuration on the latest app version released. To correct this, you can add the webhooks to the shopify.app.toml file in the app’s root folder, and then release the new version with the shopify app deploy Shopify CLI command, like so:
[webhooks]
api_version = "2025-10"
[[webhooks.subscriptions]]
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
uri = "https://app.example.com/webhooks"
As for the HMAC validation, you do need to ensure that you are also passing 400 error responses on requests that fail validation as well, as that is also tested with the app review process. Example in the Shopify.dev documentation:
Hi @Kellan-Shopify,
Thanks for the clarification and guidance.
We’ve now moved the GDPR compliance webhooks (customers/data_request, customers/redact, shop/redact) into the shopify.app.toml as App Specific Webhooks and deployed a new app version using shopify app deploy.
HMAC validation has also been updated — invalid signatures now return HTTP 400 as required.
After redeploying, both checks are now passing in the Partners dashboard.
App is ready for the final embedded checks to auto-complete.
Appreciate the support — thank you!
1 Like
