In this article, I will show you how you can verify Shopify Webhook Hmac in a Django Application.
In Shopify:
Go to Settings > Notifications > Webhook
- Create a Webhook
- Add Webhook URL
Create Webhook
You can use ngrok for development and testing purpose
SHOPIFY_WEBHOOK_SIGNED_KEY
After adding the webhook URL you will find a Signed Key for webhook just below of the Webhook URL list.
In Django:
Add a variable in settings.py file
SHOPIFY_WEBHOOK_SIGNED_KEY = env.str('SHOPIFY_WEBHOOK_SIGNED_KEY', '')
Then in your views.py file,
I used django-rest-framework views, response, and status
from django.views.decorators.csrf import csrf_exempt
from rest_framework import status
from rest_framework.decorators import api_view
from rest_framework import status
from rest_framework.response import Response
import hmac
import hashlib
import base64
def computed_hmac(secret, body):
hash_code = hmac.new(secret.encode('utf-8'), body, hashlib.sha256)
return base64.b64encode(hash_code.digest()).decode()
def verify_hmac(secret, body, shopify_hmac):
return computed_hmac(secret, body) == shopify_hmac
@csrf_exempt
@api_view(['POST'])
def api_view_webhook(request):
# get hmac from shopify webhook request
shopify_hmac = request.headers.get('X-Shopify-Hmac-Sha256')
if verify_hmac(settings.SHOPIFY_WEBHOOK_SIGNED_KEY, request.body, shopify_hmac):
print('valid')
return Response(status=status.HTTP_200_OK) else:
else:
print('invalid')
return Response(status=status.HTTP_400_BAD_REQUEST)
In your urls.py file,
from .views import_ api_view_webhook
urlpatterns = [
path('webhook/', api_view_webhook, name='api_view_webhook'),
]
If verify_hmac is True then it will print “valid” in terminal console otherwise it will print **“invalid”.
**That’s it.
Thanks.
You can find this article in medium also
Latest comments (10)
Great! Work like a charm
Thank you for the tutorial. Where do you get the settings.SHOPIFY_WEBHOOK_SIGNED_KEY from? Can I use the Shopify API Secret Key?
After adding the webhook URL you will find a Signed Key for webhook just below of the Webhook URL list
Ah, so for public apps you have to add the API secret key. :)
Check this on Medium. I posted the same thing. May be here something missing
medium.com/@BorhanTipu/django-shop...
Thanks man. Got it working in the end with the APP API key. The problem was with encoding. Your code really helped. Thank you very much.
You are welcome. I also faced this issue. After figure it out I published this article so that other can get helps from it.
Good job. Keep writing more. :)
Hi - vv helpful, but couple of minor typos in your code
should be a 'def' in front of 'computed_hmac'
in the 'verify_hmac' def, the second line should be
return computed_hmac(secret, body) == shopify_hmac
(you have 'get_hmac')
Thanks. I will update it.