Hi! I’m having trouble passing the automated app checks, and I would like help understanding what exactly is failing and how to fix it.
My app successfully installs, redirects to the app UI, and uses a valid TLS certificate.
However, two checks keep failing:
-
“Provides mandatory compliance webhooks”
-
“Verifies webhooks with HMAC signatures”
From what I can see, my app does register the mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact), and I also validate HMAC signatures in my webhook handler. Despite this, the automated review shows both items as failing.
I would like to know:
-
What exact requirements are not met for these two checks?
-
Is there a specific endpoint format, response format, or HMAC verification method the checker expects?
-
Are there any logs or diagnostic details you can share so I know which webhook is failing or why the HMAC validation is not detected?
Thank you — any guidance on how to resolve this would be greatly appreciated.
Hi @BySorivaApps! I’ve seen this exact issue come up a few times recently. The automated review is looking for compliance webhooks configured in a specific way, and the HMAC check cannot pass if the webhooks are not configured correctly.
The automated review specifically looks for mandatory compliance webhooks to be configured as App Specific Webhooks in your shopify.app.toml file using the compliance_topics field. If you’re registering them programmatically after install, the review won’t detect them.
Here’s what the TOML configuration should look like:
[webhooks]
api_version = "2025-10"
[[webhooks.subscriptions]]
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
uri = "/webhooks"
Once you’ve added this to your shopify.app.toml file, you need to deploy it:
shopify app deploy
For the HMAC verification, your webhook endpoint needs to return an HTTP 400 Bad Request (not 401) when the HMAC signature is invalid. When the signature is valid, return 200 OK.
I’ve found this thread where a developer ran into the same issue, which got resolved by moving the webhooks to the TOML file and deploying a new version.
If the above doesn’t help, can you share a few details to help narrow this down?
-
How are you registering your compliance webhooks, are they in your shopify.app.toml file, or are you registering them programmatically via the API after the app installs?
-
If you’re using the TOML file, can you share that webhook configuration section?
-
What HTTP status code does your webhook handler return when HMAC validation fails?
-
Have you run shopify app deploy after adding the webhook configuration?
