Hi, I am trying to develop a custom app, which can be published in shopify store
Currently i am using it in development store, whenever i try to create webhook for order/create i am getting 403 exception, i used read_orders, write_orders scope, even then, the 403 error is coming.
i am using 2.25 node shopify api
any special scope is needed for creation of webhook
{
"name": "HTTPError",
"hostname": "yalabs-store.myshopify.com",
"method": "POST",
"path": "/admin/api/2024-04/webhooks.json",
"protocol": "https:",
"statusCode": 403,
"statusMessage": "Forbidden",
"headers": {
"date": "Mon, 05 May 2025 03:20:53 GMT",
"content-type": "application/json; charset=utf-8",
"transfer-encoding": "chunked",
"connection": "keep-alive",
"x-sorting-hat-podid": "193",
"x-sorting-hat-shopid": "66483421378",
"vary": "Accept-Encoding",
"referrer-policy": "origin-when-cross-origin",
"x-frame-options": "DENY",
"x-shopid": "66483421378",
"x-shardid": "193",
"x-stats-userid": "",
"x-stats-apiclientid": "248072765441",
"x-stats-apipermissionid": "494075576514",
"x-shopify-api-version": "2024-04",
"x-shopify-shop-api-call-limit": "1/40",
"strict-transport-security": "max-age=7889238",
"x-request-id": "b4abf47d-2db3-4198-84b9-c9800aa8efab-1746415253",
"server-timing": "processing;dur=36, cfRequestDuration;dur=331.000090",
"content-security-policy": "default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://* shopify-pos://*; block-all-mixed-content; child-src 'self' https://* shopify-pos://*; connect-src 'self' wss://* https://*; frame-ancestors 'none'; img-src 'self' data: blob: https:; script-src https://cdn.shopify.com https://cdn.shopifycdn.net https://checkout.pci.shopifyinc.com https://checkout.pci.shopifyinc.com/build/75a428d/card_fields.js https://api.stripe.com https://mpsnare.iesnare.com https://appcenter.intuit.com https://www.paypal.com https://js.braintreegateway.com https://c.paypal.com https://maps.googleapis.com https://www.google-analytics.com https://v.shopify.com 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri /csp-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fwebhooks&source%5Bsection%5D=admin_api&source%5Buuid%5D=b4abf47d-2db3-4198-84b9-c9800aa8efab-1746415253; report-to shopify-csp",
"x-content-type-options": "nosniff",
"x-download-options": "noopen",
"x-permitted-cross-domain-policies": "none",
"x-xss-protection": "1; mode=block",
"reporting-endpoints": "shopify-csp=\"/csp-report?source%5Baction%5D=create&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=admin%2Fwebhooks&source%5Bsection%5D=admin_api&source%5Buuid%5D=b4abf47d-2db3-4198-84b9-c9800aa8efab-1746415253\"",
"x-dc": "gcp-us-central1,gcp-us-central1,gcp-us-central1",
"content-encoding": "gzip",
"alt-svc": "h3=\":443\"; ma=86400",
"cf-cache-status": "DYNAMIC",
"report-to": "{\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=uOuWBO1P3Wtudw31mQs21%2FN6YULHOXvZeJBpv082G2B2IW00n%2F8EFXvnIb00MCOokb34GtlAl2tmtiiKcyFTlascUj75UXD8g2McMKLjPlPdQYIIBmVN8MJx2syaeN6fNMxkFu5BO9xN4b0r\"}],\"group\":\"cf-nel\",\"max_age\":604800}",
"nel": "{\"success_fraction\":0.01,\"report_to\":\"cf-nel\",\"max_age\":604800}",
"shopify-edge-ip": "23.227.38.74",
"server": "cloudflare",
"cf-ray": "93ad1ac5dd6379e9-HYD"
}
}