Shopify Webhooks

Shopify sends notifications for orders, products, and app lifecycle events. HookNexus lets you inspect JSON payloads and HMAC headers while you build or debug integrations.

Prerequisites

• A Shopify store (development store is fine)
• Admin access to Settings → Notifications (or app-based webhook registration)
• HookNexus URL: https://api.hooknexus.com/h/{endpoint-id}

Register a webhook in Shopify Admin

1. Open webhooks

   In Shopify Admin go to Settings → Notifications → scroll to Webhooks (exact layout can vary by Shopify plan and version).

2. Create webhook

   Click Create webhook (or Add webhook).

3. Set the URL

   https://api.hooknexus.com/h/YOUR_ENDPOINT_ID

4. Choose format

   Select JSON for the payload format.

5. Select a topic

   Pick a topic (see Common topics). Start with something easy to trigger, e.g. a product update or test order in a dev store.

6. Save

   Save the webhook. Perform an action in the store that fires the topic and confirm the request appears in HookNexus.

Note

Custom apps and public apps often register webhooks via the Admin API instead of the UI—the HookNexus URL you register is the same.

HMAC verification

Shopify signs the raw body with HMAC-SHA256 using your app’s client secret (or webhook secret, depending on registration method).

• Header: X-Shopify-Hmac-Sha256
• Value: Base64-encoded HMAC-SHA256 digest of the raw body

1. Copy the raw body from the HookNexus request detail view.
2. Use HookNexus Verify Signature with provider Shopify and your secret.
3. Compare the result to the header value.

curl -X POST https://api.hooknexus.com/api/verify-signature \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "shopify",
    "payload": "<raw body>",
    "signature": "<X-Shopify-Hmac-Sha256>",
    "secret": "your_client_secret_or_webhook_secret"
  }'

Common topics

Topic	When it fires
orders/create	New order
products/update	Product fields change
app/uninstalled	Merchant uninstalls your app

Browse Shopify’s webhook topic list for the full catalog for your API version.

Mandatory webhooks (GDPR)

Shopify requires certain mandatory privacy webhooks for public apps (e.g. customer data requests, redaction). You must register endpoints that respond correctly to these topics.

Caution

Mandatory webhooks are compliance-related. Point them at HookNexus only for debugging—production apps should implement dedicated handlers that meet Shopify’s requirements and SLAs.

Typical mandatory topics include (names may vary by API version—verify in Shopify’s current docs):

• Customer data request
• Customer redaction
• Shop redaction

Troubleshooting

Symptom	What to check
No delivery	Confirm topic fires (e.g. create a test order); check webhook is active in Admin.
401/403 from Shopify to your app	Not applicable to HookNexus URL—if you forward to your app, ensure your app returns 2xx quickly.
HMAC mismatch	Use the correct secret for that app/installation; verify raw body byte-for-byte.
Wrong shop	Inspect X-Shopify-Shop-Domain and compare to your dev store.

Tip

Log X-Shopify-Topic and X-Shopify-Webhook-Id in your final app for traceability—HookNexus shows full headers for every delivery.

API version

Webhook payloads depend on the API version configured when the webhook was created; keep dev and prod aligned.