Authentication of webhook payloads

Authentication of webhook payloads is currently handled via secrets included in payload headers. The two relevant site settings are

  • webhook receiver secret: The secret, eg. 01534563e542342312349
  • webhook receiver secret header key: The key in the payload header where the secret is stored, e.g. X-Shopify-Hmac-SHA256.

The secret is validated using the following code, taken directly from Shopify’s example for secret validation

calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', secret, body))
ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, hmac_header)

See further https://shopify.dev/tutorials/manage-webhooks.

If there is a modification to this authentication method, secret validation method, or other security change you’d like to make to the plugin, please let us know by replying to this topic.