Compliance webhooks - 400/401 validation response status code

RAD · February 24, 2025, 10:00pm

Hi!

I just want to confirm the correct status code for the compliance webhook validation. Can you confirm if a 400 or 401 should be returned when the HMAC header is invalid?

Here (Privacy law compliance) Shopify states:

If a mandatory compliance webhook sends a request with an invalid Shopify HMAC header, then the app must return a 401 Unauthorized HTTP status.

On this page Shopify states a 400 status code should be returned:

app.post('/webhooks', express.text({type: '*/*'}), async (req, res) => {
  const {valid, topic, domain} = await shopify.webhooks.validate({
    rawBody: req.body, // is a string
    rawRequest: req,
    rawResponse: res,
  });

  if (!valid) {
    // This is not a valid request!
    res.send(400); // Bad Request
  }

  // Run my webhook-processing code here
});

Or does it even matter?

Thanks!

kyle_liu · February 25, 2025, 11:19am

Hi @RAD
After reading the shopify source code, 401 and 400 are both error codes returned by validating hmac exceptions.
First of all, in the header to get the parameters that need to be verified:
apiVersion, domain, hmac and other parameters, if the parameter is missing or parameter verification failure will return an error, when the error type for hmac verification failure, return 400, otherwise return 401

Topic		Replies	Views
Shopify Webhook HMAC Validation Failing – 401 Unauthorized Webhooks and Events troubleshooting	4	233	March 5, 2025
Unexpected HTTP 200 Response During HMAC Validation in Express.js Webhook Handler Webhooks and Events configuring , troubleshooting	2	108	February 27, 2025
I facing an error on webhook error of 401 Shopify App Store app-store	2	21	October 1, 2025
App Submission - Automated checks - Verifies webhooks with HMAC signatures Shopify App Store app-store	6	50	October 19, 2025
Hmac doesn't match (python) Webhooks and Events troubleshooting	7	249	March 24, 2025

Compliance webhooks - 400/401 validation response status code

Related topics