Webhook Guide
Shopify Guias de prueba de webhooks
Store event webhooks for orders, customers, products
Ruta rapida: comandos helper CLI
Use these first to avoid setup mistakes, then follow the full provider steps below.
instatunnel webhook init --provider shopify --port 3000 --path /webhooks/shopify
instatunnel webhook verify --provider shopify --secret-env SHOPIFY_WEBHOOK_SECRET
instatunnel webhook test --provider shopify
If you run into provider-specific issues, use the full checklist sections below.
For cross-provider MCP + webhook diagnostics, open /docs/troubleshooting.
Replay + helper de firma (dashboard)
Open /dashboard or /dashboard/tunnels and use Webhook Command Center for this provider. It gives one-click replay and signature verification helpers.
instatunnel webhook verify --provider shopify --secret-env SHOPIFY_WEBHOOK_SECRET
curl -i -X POST "https://YOUR-SUBDOMAIN.instatunnel.my/webhooks/shopify" -H "Content-Type: application/json" --data-binary @sample-shopify.json
Required signature header: x-shopify-hmac-sha256
1. Setup local de app
Create a local webhook endpoint at: /webhooks/shopify
import express from 'express'
import crypto from 'crypto'
const app = express()
app.post('/webhooks/shopify', express.raw({ type: 'application/json' }), (req, res) => {
const hmac = req.header('x-shopify-hmac-sha256') || ''
const rawBody = req.body as Buffer
const digest = crypto
.createHmac('sha256', process.env.SHOPIFY_WEBHOOK_SECRET!)
.update(rawBody)
.digest('base64')
const hmacBuf = Buffer.from(hmac)
const digestBuf = Buffer.from(digest)
const valid = hmacBuf.length === digestBuf.length && crypto.timingSafeEqual(hmacBuf, digestBuf)
if (!valid) {
return res.status(401).send('invalid hmac')
}
console.log('shopify topic:', req.header('x-shopify-topic'))
res.status(200).send('ok')
})
app.listen(3000, () => console.log('listening on :3000'))2. Ejecutar comando InstaTunnel
instatunnel 3000 --subdomain shopify-dev
Keep a fixed subdomain so your provider dashboard URL does not keep changing.
3. Campos a pegar en proveedor
| Field | Value | Where/notes |
|---|---|---|
| Delivery URL | {{WEBHOOK_URL}} | Shopify Admin > Settings > Notifications > Webhooks |
| Format | JSON | Use JSON payloads |
| Event/topic | orders/create (example) | Select only required topics |
| Webhook API version | Latest stable | Keep app and webhook version aligned |
Use the helper below to generate exact values with your chosen subdomain and path.
Helper de configuracion webhook en un click
Genera comando, URL webhook y valores para copiar en el proveedor.
Ejecutar InstaTunnel
instatunnel 3000 --subdomain shopify-devURL webhook
https://shopify-dev.instatunnel.my/webhooks/shopify| Campo del proveedor | Valor para pegar | Notas |
|---|---|---|
| Delivery URL | https://shopify-dev.instatunnel.my/webhooks/shopify | Shopify Admin > Settings > Notifications > Webhooks |
| Format | JSON | Use JSON payloads |
| Event/topic | orders/create (example) | Select only required topics |
| Webhook API version | Latest stable | Keep app and webhook version aligned |
Consejo: usa un subdominio estable por proveedor para no reconfigurar el panel.
4. Enviar evento de prueba
- In Shopify Admin webhook settings, click "Send test notification".
- For app webhooks, use Shopify CLI trigger commands in a dev store.
- Confirm your endpoint logs topic, shop domain, and a 2xx response.
# Shopify CLI example (event names vary by app setup) shopify app webhook trigger --topic orders/create
5. Verificar firma
Verify this header on every request: x-shopify-hmac-sha256
const digest = crypto
.createHmac('sha256', process.env.SHOPIFY_WEBHOOK_SECRET!)
.update(rawPayloadBuffer)
.digest('base64')
const valid = Buffer.from(req.header('x-shopify-hmac-sha256') || '').length === Buffer.from(digest).length &&
crypto.timingSafeEqual(Buffer.from(req.header('x-shopify-hmac-sha256') || ''), Buffer.from(digest))
if (!valid) return res.status(401).send('invalid hmac')6. Reintentos e idempotencia
- Use webhook ID + topic + timestamp as dedupe keys.
- Process asynchronously and return 200 quickly.
- Treat webhook deliveries as at-least-once and potentially out-of-order.
7. Fallos comunes y solucion rapida
401 invalid hmac
Verify webhook secret and ensure you hash exact payload body.
No webhook after install
Confirm webhook subscription exists for the correct store and topic.
Parsing failures
Force JSON body parsing and validate expected schema by topic.