Hi @BySorivaApps! I’ve seen this exact issue come up a few times recently. The automated review is looking for compliance webhooks configured in a specific way, and the HMAC check cannot pass if the webhooks are not configured correctly.
The automated review specifically looks for mandatory compliance webhooks to be configured as App Specific Webhooks in your shopify.app.toml file using the compliance_topics field. If you’re registering them programmatically after install, the review won’t detect them.
Here’s what the TOML configuration should look like:
[webhooks]
api_version = "2025-10"
[[webhooks.subscriptions]]
compliance_topics = ["customers/data_request", "customers/redact", "shop/redact"]
uri = "/webhooks"
Once you’ve added this to your shopify.app.toml file, you need to deploy it:
shopify app deploy
For the HMAC verification, your webhook endpoint needs to return an HTTP 400 Bad Request (not 401) when the HMAC signature is invalid. When the signature is valid, return 200 OK.
I’ve found this thread where a developer ran into the same issue, which got resolved by moving the webhooks to the TOML file and deploying a new version.
If the above doesn’t help, can you share a few details to help narrow this down?
-
How are you registering your compliance webhooks, are they in your
shopify.app.tomlfile, or are you registering them programmatically via the API after the app installs? -
If you’re using the TOML file, can you share that webhook configuration section?
-
What HTTP status code does your webhook handler return when HMAC validation fails?
-
Have you run
shopify app deployafter adding the webhook configuration?