Hey @Hamza_Zahid! Two things need to happen for these checks to pass: registering the webhooks via the CLI, and implementing HMAC verification in your endpoint.
For the mandatory webhooks, you need to configure them in your shopify.app.toml file and deploy with the Shopify CLI. This applies regardless of what backend tech you’re using. Add the compliance topics like this:
[webhooks]
api_version = "2025-01"
[[webhooks.subscriptions]]
topics = ["app/uninstalled"]
uri = "/webhooks"
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
Then run shopify app deploy from your project root. The CLI will register these with Shopify and this works regardless of your backend language (a similar thread covers this for Java apps).
For HMAC verification, your endpoint needs to compute an SHA-256 HMAC of the raw request body using your app’s client secret, then compare it to the X-Shopify-Hmac-SHA256 header. The webhook verification docs have code examples. Key thing here is you need the raw body before any JSON parsing middleware touches it. Return 200 on success, 401 if HMAC doesn’t match.
All the requirements are laid out in the mandatory compliance webhooks docs if you want the full picture - hope this gets you on track to pass those automated checks!