Hello Shopify Team,
Our app correctly registers all mandatory compliance webhooks (APP_UNINSTALLED, CUSTOMERS_DATA_REQUEST, CUSTOMERS_REDACT, SHOP_REDACT) during install using the Shopify Admin API.
Webhooks are verified using HMAC and respond with HTTP 200.
Automated checks appear to fail, but runtime behavior is correct.
Kindly request a manual compliance review.
Thank you.
Hi @247_support! The automated review is looking for compliance webhooks configured in your shopify.app.toml file using the compliance_topics field. If you’re registering them programmatically after install via the Admin API, the review won’t detect them.
This came up in this thread and this one - both got resolved by moving the webhooks to the TOML file and deploying.
Here’s what your TOML configuration should look like:
[webhooks]
api_version = "2025-10"
[[webhooks.subscriptions]]
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
uri = "/webhooks"
After adding this to your shopify.app.toml file, deploy it with shopify app deploy.
For the HMAC verification check, your webhook endpoint needs to verify the HMAC signature and return HTTP 401 Unauthorized when it’s invalid. When it’s valid, return 200 OK.
Once you’ve deployed the new version with the TOML configuration, the automated checks should pass - let me know if this helps!
Hi @247_support
I’ve encountered this issue before. Shopify not only requires a corresponding 200 status code in response, but also mandates returning a 401 status code when the verification fails.