Mandatory Webhooks & HMAC (False Positive?)

Webhooks and Events
1

Hi Shopify Community,

I am facing a blocking issue with the app review automated checks. I have followed the documentation and recent advice regarding shopify.app.toml configuration, but the dashboard still shows failures.

The Issue: My app fails two checks:

  1. :cross_mark: Provides mandatory compliance webhooks

  2. :cross_mark: Verifies webhooks with HMAC signatures

My Setup:

  • App ID: 818aa699691567f0e41851be709c5be8

  • Tech Stack: Python (FastAPI) + Railway

  • Deployment: I am using Shopify CLI (npx shopify app deploy) to push the config.

What I have done:

  1. Updated shopify.app.toml to use compliance_topics grouped (API 2025-10):

Ini, TOML

[webhooks]
api_version = "2025-10"
[[webhooks.subscriptions]]
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
uri = "https://jarlix-importer-production.up.railway.app/webhooks/compliance"

  1. Executed shopify app deploy --force. The CLI reports Success.

  2. Server Logs: I can see Shopify hitting my endpoint /webhooks/compliance. My server verifies the HMAC using the Client Secret and immediately returns 200 OK.

    • Log proof: POST /webhooks/compliance 200 OK

The Problem: Despite the CLI success and the server responding with 200, the Partner Dashboard automated checks remain red. It seems like the dashboard is not syncing with the CLI configuration for the “Mandatory Webhooks” check.

Has anyone resolved this recently? Is there a delay in the check updating after a CLI deploy?

2

Hi @lotus22! Your TOML config looks correct, so the subscription side should be fine after a successful deploy. The part that’s possibly tripping the automated check is how your endpoint responds to an invalid HMAC.

The automated checker doesn’t just send a valid webhook and look for a 200. It also sends a request with a deliberately bad HMAC signature to confirm your app rejects it. The mandatory compliance webhooks docs say: “If a mandatory compliance webhook sends a request with an invalid Shopify HMAC header, then the app must return a 401 Unauthorized HTTP status.” So if your endpoint verifies the HMAC and returns 200 regardless of the outcome, or catches the mismatch but still returns 200, that would cause the HMAC check to stay red.

Make sure your endpoint returns 401 Unauthorized when the computed HMAC doesn’t match the X-Shopify-Hmac-Sha256 header, and only returns 200 when it does match.

If the checks still aren’t passing after redeploying, post back and I can take a closer look.