Register an endpoint
Your endpoint must be an HTTPS webhook address with a valid SSL certificate that can correctly process event notifications.
Subscribe to a webhook topic
Sending a POST request to the Webhook resource in REST
POST /admin/api/2022-01/webhooks.json
1{2 "webhook": {3 "topic": "orders/create",4 "address": "https://12345.ngrok.io/",5 "format": "json"6 }7}Test the webhook
Run a local server or use a publicly-available service such as Beeceptor.
Receive the webhook
After you register an endpoint, Shopify sends an HTTP POST request to the URL specified every time that event occurs. The HTTP POST request’s parameters contain the JSON or XML data relevant to the event that triggered the request.
Verify the webhook
Before you respond to a webhook, you need to verify that the webhook was sent from Shopify. You can verify the webhook by calculating a digital signature.
# The following example uses Python and the Flask framework to verify a webhook request:
from flask import Flask, request, abort
import hmac
import hashlib
import base64
app = Flask(__name__)
# The Shopify app's API secret key, viewable from the Partner Dashboard. In a production environment, set the API secret key as an environment variable to prevent exposing it in code.
API_SECRET_KEY = 'my_api_secret_key'
def verify_webhook(data, hmac_header):
digest = hmac.new(API_SECRET_KEY.encode('utf-8'), data, digestmod=hashlib.sha256).digest()
computed_hmac = base64.b64encode(digest)
return hmac.compare_digest(computed_hmac, hmac_header.encode('utf-8'))
@app.route('/webhook', methods=['POST'])
def handle_webhook():
data = request.get_data()
verified = verify_webhook(data, request.headers.get('X-Shopify-Hmac-SHA256'))
if not verified:
abort(401)
# Process webhook payload
# ...
return ('', 200)Respond to the webhook
Your webhook acknowledges that it received data by sending a 200 OK response. Any response outside of the 200 range, including 3XX HTTP redirection codes, indicates that you didn’t receive the webhook.