Webhook Guide
Shopify Guides de test webhook
Store event webhooks for orders, customers, products
Chemin rapide : commandes helper CLI
Use these first to avoid setup mistakes, then follow the full provider steps below.
instatunnel webhook init --provider shopify --port 3000 --path /webhooks/shopify
instatunnel webhook verify --provider shopify --secret-env SHOPIFY_WEBHOOK_SECRET
instatunnel webhook test --provider shopify
If you run into provider-specific issues, use the full checklist sections below.
For cross-provider MCP + webhook diagnostics, open /docs/troubleshooting.
Replay + helper signature (dashboard)
Open /dashboard or /dashboard/tunnels and use Webhook Command Center for this provider. It gives one-click replay and signature verification helpers.
instatunnel webhook verify --provider shopify --secret-env SHOPIFY_WEBHOOK_SECRET
curl -i -X POST "https://YOUR-SUBDOMAIN.instatunnel.my/webhooks/shopify" -H "Content-Type: application/json" --data-binary @sample-shopify.json
Required signature header: x-shopify-hmac-sha256
1. Setup app locale
Create a local webhook endpoint at: /webhooks/shopify
import express from 'express'
import crypto from 'crypto'
const app = express()
app.post('/webhooks/shopify', express.raw({ type: 'application/json' }), (req, res) => {
const hmac = req.header('x-shopify-hmac-sha256') || ''
const rawBody = req.body as Buffer
const digest = crypto
.createHmac('sha256', process.env.SHOPIFY_WEBHOOK_SECRET!)
.update(rawBody)
.digest('base64')
const hmacBuf = Buffer.from(hmac)
const digestBuf = Buffer.from(digest)
const valid = hmacBuf.length === digestBuf.length && crypto.timingSafeEqual(hmacBuf, digestBuf)
if (!valid) {
return res.status(401).send('invalid hmac')
}
console.log('shopify topic:', req.header('x-shopify-topic'))
res.status(200).send('ok')
})
app.listen(3000, () => console.log('listening on :3000'))2. Lancer InstaTunnel
instatunnel 3000 --subdomain shopify-dev
Keep a fixed subdomain so your provider dashboard URL does not keep changing.
3. Champs provider a coller
| Field | Value | Where/notes |
|---|---|---|
| Delivery URL | {{WEBHOOK_URL}} | Shopify Admin > Settings > Notifications > Webhooks |
| Format | JSON | Use JSON payloads |
| Event/topic | orders/create (example) | Select only required topics |
| Webhook API version | Latest stable | Keep app and webhook version aligned |
Use the helper below to generate exact values with your chosen subdomain and path.
Assistant setup webhook en un clic
Genere commande tunnel, URL webhook et valeurs provider pretes a coller.
Lancer InstaTunnel
instatunnel 3000 --subdomain shopify-devURL webhook
https://shopify-dev.instatunnel.my/webhooks/shopify| Champ provider | Valeur a coller | Notes |
|---|---|---|
| Delivery URL | https://shopify-dev.instatunnel.my/webhooks/shopify | Shopify Admin > Settings > Notifications > Webhooks |
| Format | JSON | Use JSON payloads |
| Event/topic | orders/create (example) | Select only required topics |
| Webhook API version | Latest stable | Keep app and webhook version aligned |
Astuce : gardez un sous-domaine stable par provider pour eviter la reconfiguration.
4. Envoyer un evenement de test
- In Shopify Admin webhook settings, click "Send test notification".
- For app webhooks, use Shopify CLI trigger commands in a dev store.
- Confirm your endpoint logs topic, shop domain, and a 2xx response.
# Shopify CLI example (event names vary by app setup) shopify app webhook trigger --topic orders/create
5. Verifier la signature
Verify this header on every request: x-shopify-hmac-sha256
const digest = crypto
.createHmac('sha256', process.env.SHOPIFY_WEBHOOK_SECRET!)
.update(rawPayloadBuffer)
.digest('base64')
const valid = Buffer.from(req.header('x-shopify-hmac-sha256') || '').length === Buffer.from(digest).length &&
crypto.timingSafeEqual(Buffer.from(req.header('x-shopify-hmac-sha256') || ''), Buffer.from(digest))
if (!valid) return res.status(401).send('invalid hmac')6. Retrys et idempotence
- Use webhook ID + topic + timestamp as dedupe keys.
- Process asynchronously and return 200 quickly.
- Treat webhook deliveries as at-least-once and potentially out-of-order.
7. Echecs courants et corrections rapides
401 invalid hmac
Verify webhook secret and ensure you hash exact payload body.
No webhook after install
Confirm webhook subscription exists for the correct store and topic.
Parsing failures
Force JSON body parsing and validate expected schema by topic.