⚙️ Shopify App Verification — Webhook & HMAC Checks Failing in Automated Review

Shopify App Store
1

Hi Shopify devs👋

I’m having trouble getting my app approved by Shopify’s automated review system.
Although everything is working correctly on my side (OAuth flow, HMAC verification, webhook registration), the automated checks still fail the following two points:

  • :cross_mark: Provides mandatory compliance webhooks

  • :cross_mark: Verifies webhooks with HMAC signatures

Everything else passes successfully.

:puzzle_piece: App Information

App Name: EkomX
Redirect URL: https://ekomx.com/shopify/callback
App URL: https://ekomx.com/shopify/start-connect
API Version: 2025-10
Scopes:

read_customers, write_customers, read_orders, write_orders, read_products, write_products

Embed app in Shopify admin: false
Use legacy install flow: false

:brain: OAuth & Callback Flow Logs

[2025-11-12 12:05:24] [Shopify Callback] HMAC verified successfully. {"shop":"ekomx.myshopify.com"}
[2025-11-12 12:05:24] [Shopify Callback] Decoded state successfully. {"user_id":6,"tenant":"ekomx.com"}
[2025-11-12 12:05:24] [Shopify Callback] Token exchange successful. {"shop":"ekomx.myshopify.com","user_id":6}
[2025-11-12 12:05:24] [Shopify Callback] Shop saved successfully. {"shop":"ekomx.myshopify.com","user_id":6}

:bell: Webhook Registration Logs

[2025-11-12 12:05:25] [Shopify Webhook Register] Base URL: https://ekomx.myshopify.com/admin/api/2025-01/webhooks.json
[2025-11-12 12:05:25] [Shopify Webhook Register] Registering Webhooks {"shop":"ekomx.myshopify.com","topics":["app/uninstalled","orders/create","orders/updated"]}
[2025-11-12 12:05:25] [Shopify Webhook Register] ✅ Success {"topic":"app/uninstalled","shop":"ekomx.myshopify.com"}
[2025-11-12 12:05:25] [Shopify Webhook Register] ✅ Success {"topic":"orders/create","shop":"ekomx.myshopify.com"}
[2025-11-12 12:05:25] [Shopify Webhook Register] ✅ Success {"topic":"orders/updated","shop":"ekomx.myshopify.com"}
[2025-11-12 12:05:26] [Shopify Connected] Shop linked successfully. {"shop":"ekomx.myshopify.com","user_id":6,"tenant":"ekomx.com"}

:white_check_mark: What’s Working Correctly

  • Immediately authenticates after install

  • Immediately redirects to app UI after authentication

  • Registers mandatory compliance webhooks (app/uninstalled, orders/create, orders/updated)

  • Verifies webhooks using HMAC validation

  • Uses a valid TLS certificate (HTTPS)

:receipt: Problem

Despite all of the above being implemented and confirmed through logs, the Shopify automated review still reports:

:cross_mark: Provides mandatory compliance webhooks
:cross_mark: Verifies webhooks with HMAC signatures

Could someone please clarify:

  • How the automated validation checks for these two points?

  • Whether there’s a specific header, response, or test endpoint Shopify expects during verification?

App Domain: ekomx.com
Callback URL: https://ekomx.com/shopify/callback

:camera_with_flash: Evidence

Attached are screenshots of:

  • OAuth flow logs

  • Webhook registration success

  • App configuration panel (showing redirect URL, scopes, and API version)

Would really appreciate if someone from the Shopify devs could confirm if there’s any additional step required for automated detection, since everything works properly when testing manually. :folded_hands:

2

The webhooks you setup are not the mandatory compliance webhooks. Please follow this document for mandatory compliance webhooks.

3

i have updated code and added mandatory compliance webhooks
shopify tomb file and cli then also cant complete :cross_mark: Provides mandatory compliance webhooks
:cross_mark: Verifies webhooks with HMAC signatures