Hello, please help before approving (page Complete preliminary steps to prepare your submission) the plugin, the test automatically evaluates me as “Implement HMAC signature to verify webhooks” and I check the HMAC and I have it correct. I understand that it is about testing Compliance webhooks, but I log accesses and no record exists during testing so I am not testing calls to these addresses. Please help, what could be wrong, thanks Martin
Just to confirm, did you verify the HMAC signature? Shopify sends an X-Shopify-Hmac-SHA256 header with each webhook request. This header contains a base64-encoded HMAC signature.
To verify the webhook:
- Compute the HMAC digest using your app’s shared secret and the raw request body.
- Compare the computed digest with the value in the X-Shopify-Hmac-SHA256 header. If they match, the webhook is authentic.
Thanks for the insight, yes HMAc I check and calculate it works fine in the development store. It’s just the approval process. In addition, when the test is running, none of my specified endpoints call me at all, according to the server log and it still fails, can someone please help, thank you
Here’s some more things you can try:
- Verify Webhook Subscription Setup:
- Ensure that the webhook subscriptions are correctly configured in your app. Check the webhook topics and the endpoint URLs in the Partner Dashboard.
- Confirm that the webhook subscription is active and matches the expected topics.
- Check Webhook Delivery Metrics:
- Use the Webhook Metrics in the Partner Dashboard to view delivery logs and metrics for your app’s webhooks. This can help identify if Shopify attempted to send the webhook and if there were any delivery failures.
- Test Webhooks Locally:
- Use tools like
ngrokto expose your local server to the internet and test webhook delivery. Shopify also allows you to manually trigger webhooks for testing purposes.
@Liam-Shopify thanks for your response on this. I was having trouble verifying the HMAC of my webhook and your note about using the “raw request body” really helped me out.
This whole time I though you were supposed to use the json data from the webhook to create a hash to test against the “X-Shopify-Hmac-Sha256” value in the headers.
And now that I figured it out, I want to put a note for anyone else having trouble getting the raw request body on a shopify app made with express.js or pretty much any node.js based set up.
If you are using body-parser to parse requests made to your server, you will run into some trouble getting the raw request body data into your code.
Here is a stack overflow post that I found that helped me find a solution for this:
And to anyone that is not using a node js based setup, you can just take the general logic and have AI convert it to whatever language you are using (or do it yourself).
I believe I implemented everything properly but the automated check still fails.
Can you maybe help me understand how to debug this?
Where can I see what is actually tested? what actually failed? it is all very vague..
Any help here would be greatly appreciated 
I had this issue as well with the admin webhooks that i couldnt solve, I cant seem to match it either