Problem Introduction
Shopify webhooks randomly fail X-Shopify-Hmac-SHA256 signature validation.
Why It Happens
- •Signing a parsed JSON object instead of raw bytes
- •Encoding mismatch (binary vs UTF-8)
- •Using the wrong App Secret
- •Validating the wrong Topic header
Step-by-Step Fix
- 1Extract the raw string body buffer using middleware like `express.raw()`.
- 2Retrieve `X-Shopify-Hmac-SHA256` header from the webhook.
- 3Hash the raw body using your App Secret and encode as base64.
- 4Compare your computed base64 output with the Shopify header.
Common Mistakes
- •Using `hex` encoding instead of `base64`
- •Using `JSON.stringify(req.body)` to recreate the payload
Debugging Workflow
Capture raw body -> compute HMAC -> base64 encode -> compare -> return 200.
Preventive Best Practices
- •Use Hookmetry to track encoding discrepancies between Shopify requests and your server.
Works with webhooks and other async event systems (including AI callbacks).
Instead of guessing, inspecting the exact payload and headers can help debug faster. Tools like Hookmetry support this workflow.
Try the free webhook testerRelated Documentation