I’m noticing regular Shopify GDPR mandatory webhook requests that fail HMAC in our logs. Usually specifying an random looking store name/domain.
Does Shopify do this from time to time to test if we are still responding correctly to the HMAC check?
Thanks
Hey @Mark_Viable - we do send out GDPR webhooks fairly regularly (generally when an app is uninstalled on a shop or when a specific customer requests the redaction of their info), but to my knowledge we don’t send tests out to check HMAC validity.
Would you be able to share a webhook ID and the payload/timestamp for an example of one of these that you saw on your end? I can dig into this a little bit further on our end for sure.
Hi,
Can we continue this in a direct message in case anything I share is identifying of our customers stores?
Thanks
@Mark_Viable for sure! I’ll message yon on my end here 
It’s now been confirmed in DM that Shopify do send out regular webhook requests to test the invalid HMAC rejection.
In our experience these were once a week and used a shop erasure request.
Regards,
Mark