Issue Verifying Webhook HMAC from Shopify

Partner Discussions
1

Hi everyone,

I’ve been stuck for a few days trying to verify webhooks sent from Shopify, and I’d really appreciate some help from the community.

I’m building a public app using NestJS, and I’m trying to validate incoming webhooks using the X-Shopify-Hmac-SHA256 header.

Here’s what I’ve done so far:

  • I followed the Shopify webhook verification docs step by step.
  • I’m using the app’s API secret key to recreate the HMAC.
  • I made sure to use the raw request body (req.rawBody) as recommended, and I confirmed it’s captured correctly.
  • I’ve tried both manually generating the HMAC and using the @shopify/shopify-api package’s validateWebhookRequest() method.

But in both cases, the generated HMAC does not match the one sent in Shopify’s X-Shopify-Hmac-SHA256 header.

My current setup:

  • Framework: NestJS (Express-based)
  • Middleware: I added custom middleware to attach req.rawBody before any parsing
  • HMAC Generation:
    Screenshot_679
    Screenshot_679823×503 25.5 KB

Yet generatedHmac !== headerHmac.

Has anyone successfully verified Shopify webhooks using NestJS and raw body handling?

Could there be something I’m missing with encoding or middleware setup?

Thanks in advance for any insights :folded_hands:

2

I’m not familiar with NestJS, but I suspect the problem is with the rawBody field.

I had to use a raw-body package to correctly build the HMAC signature.

A couple of other things to try:

  1. Use a hardcoded "x-shopify-hmac-sha256" property key instead, just in case the key is undefined in the ShopifyHeader.Hmac object.

  2. Double check that SHOPIFY_CLIENT_SECRET is your private API key. And also make sure it’s from the right app. I’ve had this issue crop up when I’m using the wrong app’s config.

3

Thank u so much. Now, although i verify hmac shopify success in local, but in server vps generatedHmac !== headerHmac

4

Great! Could you share exactly what fixed the issue for you? Helps others to know what change fixed the problem for you.

I assume you’ve deployed your code to your server. If that’s the case, then the problem is most likely your Shopify API keys are not correct.

If you’re using a separate Shopify App for staging/production, then make sure the server has the correct public and private Shopify API keys set.

5

My code goes through the gateway and the req.body is parsed there, so I handled it by separating it from the gateway. As for the server, I’m sure the key is correct, but I don’t know where the problem is.

6

Hi @tuanna

Has the complete req.rawBody value been output on the VPS server and checked for any abnormal data.