How to register GDPR webhooks

Shopify App Store
1

Hi there,

I ran into the following. I created an app that does nothing more than the auth flow. It collects an api key that is stored in my own app, so that my app can communicate with Shopify. This process does not require a UI, so there is no UI.

For your information, I install the app, Shopify visits an endpoint of my app, which redirects to the auth endpoint. In turn, Shopify returns to my app providing a code, which I use to fetch the access token an my app finalizes the flow.

I use that to connect my customer’s instance with their Shopify shop, so I can exchange data. Look at it as an ERP connection. This process runs entirely in the backend, no user input needed.

I have tested the app and it works as expected, so now I would like Shopify to review it. But I seem not able to post it for review. As it turns out, I am (at least) missing the GDPR webhooks. So I implemented them, but now I need to register my endpoints to Shopify. And that’s where I got stuck.

There is a lot of outdated data out there, so it was a bit of a struggle, but I believe that the registering through the Partner Dashboard is no longer accurate and that I should add something to a project file instead.

And that’s where the my pleasant life becomes unpleasant, because, as explained, I do not have a project file.

My main question is, is there a way to circumvent this?

Any help would be highly appreciated.

R.
cirqman

2

Hi @cirqman

You’re right that the old Partner Dashboard method for configuring compliance webhooks has been replaced. The current approach uses a shopify.app.toml config file with the Shopify CLI, but the good news is you don’t need to rebuild your app or change your architecture. You can create a minimal TOML file purely for registering your webhooks.

Install the Shopify CLI (npm install -g @shopify/cli), then create a shopify.app.toml file in any directory with just the essentials:

name = "Your App Name"
client_id = "your-app-client-id"

[webhooks]
api_version = "2025-01"

[[webhooks.subscriptions]]
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
uri = "https://your-app.example.com/webhooks/compliance"

Then run shopify app deploy from that directory and your compliance webhooks are registered — no UI or project restructuring needed. Just make sure your endpoint accepts POST requests with a JSON body, verifies the HMAC signature (returning 401 if invalid), and responds with a 200 status. Even if your app doesn’t store customer data, the endpoints still need to exist and respond correctly.

Full details in the mandatory webhooks docs. Hope that unblocks you!