Implement an HMAC signature to verify webhooks

Hello, please help before approving (page Complete preliminary steps to prepare your submission) the plugin, the test automatically evaluates me as “Implement HMAC signature to verify webhooks” and I check the HMAC and I have it correct. I understand that it is about testing Compliance webhooks, but I log accesses and no record exists during testing so I am not testing calls to these addresses. Please help, what could be wrong, thanks Martin

Just to confirm, did you verify the HMAC signature? Shopify sends an X-Shopify-Hmac-SHA256 header with each webhook request. This header contains a base64-encoded HMAC signature.

To verify the webhook:

  • Compute the HMAC digest using your app’s shared secret and the raw request body.
  • Compare the computed digest with the value in the X-Shopify-Hmac-SHA256 header. If they match, the webhook is authentic.

Thanks for the insight, yes HMAc I check and calculate it works fine in the development store. It’s just the approval process. In addition, when the test is running, none of my specified endpoints call me at all, according to the server log and it still fails, can someone please help, thank you

Here’s some more things you can try:

  1. Verify Webhook Subscription Setup:
  • Ensure that the webhook subscriptions are correctly configured in your app. Check the webhook topics and the endpoint URLs in the Partner Dashboard.
  • Confirm that the webhook subscription is active and matches the expected topics.
  1. Check Webhook Delivery Metrics:
  • Use the Webhook Metrics in the Partner Dashboard to view delivery logs and metrics for your app’s webhooks. This can help identify if Shopify attempted to send the webhook and if there were any delivery failures.
  1. Test Webhooks Locally:
  • Use tools like ngrok to expose your local server to the internet and test webhook delivery. Shopify also allows you to manually trigger webhooks for testing purposes.