I am building a Shopify app and submitting it to the App Store. Most automated checks pass, but I am stuck on mandatory compliance webhooks and HMAC verification. I don’t clearly understand which webhooks are required and how to properly verify them to pass Shopify’s automated checks. I’m looking for guidance on how to correctly implement and validate these webhooks.
Hey @Hamza_Zahid! Two things need to happen for these checks to pass: registering the webhooks via the CLI, and implementing HMAC verification in your endpoint.
For the mandatory webhooks, you need to configure them in your shopify.app.toml file and deploy with the Shopify CLI. This applies regardless of what backend tech you’re using. Add the compliance topics like this:
[webhooks]
api_version = "2025-01"
[[webhooks.subscriptions]]
topics = ["app/uninstalled"]
uri = "/webhooks"
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
Then run shopify app deploy from your project root. The CLI will register these with Shopify and this works regardless of your backend language (a similar thread covers this for Java apps).
For HMAC verification, your endpoint needs to compute an SHA-256 HMAC of the raw request body using your app’s client secret, then compare it to the X-Shopify-Hmac-SHA256 header. The webhook verification docs have code examples. Key thing here is you need the raw body before any JSON parsing middleware touches it. Return 200 on success, 401 if HMAC doesn’t match.
All the requirements are laid out in the mandatory compliance webhooks docs if you want the full picture - hope this gets you on track to pass those automated checks!
1 Like
Thanks a lot for the clear explanation!
Registering the mandatory webhooks via shopify.app.toml and deploying with the Shopify CLI was the missing part for me. After adding the compliance topics and implementing proper HMAC verification using the raw request body, the automated checks are now passing.
Really appreciate the guidance this helped me understand the Shopify webhook requirements much better.
1 Like
We’re building a custom embedded Shopify app using Next.js and are currently facing repeated failures in the Embedded app automated checks, specifically the check for:
“Using the latest App Bridge script loaded from Shopify’s CDN”
Our current setup:
-
Using
@shopify/app-bridge-react -
Wrapping the app with
<Provider> -
Using
NavigationMenu.create(app) -
App Bridge version 3.7.10 (stable)
According to the checks, this approach is still allowed but marked as “not future-facing”, and despite this, the automated checks continue to fail even after logging into and interacting with the app on a dev store.
Given that Shopify docs now recommend loading App Bridge from the Shopify CDN, we’re unsure about the best path forward for a Next.js embedded app:
-
Should we continue using
@shopify/app-bridge-react, or -
Should we migrate to the Shopify CDN App Bridge script to satisfy the automated checks?
We’d appreciate guidance on the recommended approach for Next.js apps to pass embedded app checks and remain future-proof.