Shopify Webhook HMAC Validation Failing – 401 Unauthorized

Partner Discussions
1

We are implementing Shopify webhooks but are receiving 401 Unauthorized responses despite verifying the HMAC signature using the shared secret key.

Here’s the verification method (c#) we are using:

private bool Validate(string _hmacHeader, string _data, string sharedSecretKey)
{
using (HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(sharedSecretKey)))
{
byte hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(_data));
return Convert.FromBase64String(_hmacHeader).SequenceEqual(hashBytes);
}
}

Steps We Have Taken:

  • Using the correct webhook secret from Shopify.
  • Ensuring raw request body is used for hashing.
  • Verifying HTTPS is enabled for our webhook endpoint.
  • Comparing the computed HMAC securely.
  • Logging received vs computed HMAC values, and they do not match.

Can anyone confirm if there are any known issues or additional requirements we should check?

2

How did you create the webhook? Using your app or via iGraphQL app

3

Even I am facing same issue I created the webhook for topic read_orders using app, I am getting the similar response.

4

I am also seeing the same issue. Webhooks all of a sudden started failing due to validation errors.

5

Apparently if you try the bash to trigger the webhook it would succeed shopify app webhook trigger --topic orders/create --address https://your-app-url/webhooks I do not get why are the webhooks not working from browser client