Shopify Integration
Set up HookWatch to receive Shopify webhooks for store events like new orders, product updates, and customer changes.
Prerequisites
- A HookWatch account
- A Shopify store with admin access or a Shopify Partner account
- A server endpoint to process webhook payloads
Step 1: Create a HookWatch endpoint
- Go to your Endpoints page
- Click "Create Endpoint"
- Enter a name like "Shopify Webhooks"
- Enter your destination URL (where you want webhooks forwarded)
- Copy the generated webhook URL
Step 2: Configure Shopify webhooks
Via Shopify Admin:
- Go to your Shopify Admin panel
- Click Settings > Notifications
- Scroll down to Webhooks
- Click "Create webhook"
- Select the event you want to subscribe to
- Set format to JSON
- Paste your HookWatch URL
- Select your API version (use the latest stable version)
- Click "Save"
Via Shopify API:
For apps, you can register webhooks programmatically using the Shopify Admin API.
{
"webhook": {
"topic": "orders/create",
"address": "{config.webhookUrl}/wh/YOUR_SLUG",
"format": "json"
}
}Popular webhook topics:
orders/createorders/paidorders/fulfilledorders/cancelledproducts/createproducts/updatecustomers/createrefunds/createinventory_levels/updatecarts/createStep 3: Verify webhooks on your server
Shopify signs webhook payloads using HMAC-SHA256. HookWatch forwards the X-Shopify-Hmac-SHA256 header so you can verify authenticity.
You'll find your webhook signing secret in Settings > Notifications > Webhooks at the bottom of the page.
const crypto = require('crypto');
function verifyShopifyWebhook(body, hmacHeader, secret) {
const hash = crypto
.createHmac('sha256', secret)
.update(body, 'utf8')
.digest('base64');
return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(hmacHeader));
}
app.post('/webhooks/shopify', express.raw({type: 'application/json'}), (req, res) => {
const hmac = req.headers['x-shopify-hmac-sha256'];
const secret = process.env.SHOPIFY_WEBHOOK_SECRET;
if (!verifyShopifyWebhook(req.body, hmac, secret)) {
return res.status(401).send('Invalid signature');
}
const topic = req.headers['x-shopify-topic'];
const payload = JSON.parse(req.body);
switch (topic) {
case 'orders/create':
console.log('New order:', payload.name);
break;
case 'products/update':
console.log('Product updated:', payload.title);
break;
// ... handle other topics
}
res.status(200).send('OK');
});Shopify webhook headers
HookWatch forwards all Shopify headers. Here are the important ones:
| Header | Description |
|---|---|
X-Shopify-Topic | The webhook topic (e.g., orders/create) |
X-Shopify-Shop-Domain | Your store's myshopify.com domain |
X-Shopify-API-Version | The API version used for the payload |
X-Shopify-Hmac-SHA256 | Base64-encoded HMAC for signature verification |
X-Shopify-Webhook-Id | Unique ID for the webhook delivery |
Testing the integration
You can test Shopify webhooks by:
- Creating a test order in your store (use Shopify's Bogus Gateway for testing)
- Using the "Send test notification" button in webhook settings
- Using a development store with test data
Tip
Use the HookWatch event detail page to see the exact payload Shopify sends. This makes debugging much easier.
Common issues
Webhook marked as failed in Shopify
Shopify expects a 200 response within 5 seconds. If your endpoint takes longer or returns an error, Shopify marks it as failed. HookWatch acknowledges immediately, so check your destination server if you see failures.
Signature verification fails
Make sure you're using the raw request body (not parsed JSON) for verification. The signature is computed on the exact bytes Shopify sends.
Webhook deleted automatically
Shopify automatically deletes webhooks after 19 consecutive failures. With HookWatch's automatic retries, this is much less likely to happen.
Duplicate webhooks
Shopify may send the same webhook multiple times. Use the X-Shopify-Webhook-Id header to deduplicate events on your server.