900+ reviews For Entrepreneurs
Digittrix logo

Home - Scripts - Website Development

  • 19 November 2025

Shopify Webhooks: Verify HMAC & Queue Processing
by Bobin S. 3 minute read 113 views

Shopify webhooks utilize HMAC for secure verification and queue-based automation, ensuring reliable, scalable, and efficient daily operations workflows.

Key Points

  • 92% of Shopify apps use HMAC verification to confirm data authenticity and prevent fraud effectively.
  • Queue processing enhances webhook handling speed by 68%, decreasing failures and improving business workflow efficiency.
  • Shopify retries failed webhooks for up to 48 hours, making idempotent processing crucial for accuracy today.

Overview

Shopify Webhooks enable your app to receive real-time notifications whenever specific store events happen, such as order creation, product updates, or customer data changes.

To ensure the integrity and authenticity of these requests, Shopify signs each webhook using HMAC (Hash-based Message Authentication) Code).

This guide is ideal for anyone involved in Shopify web development, whether you are offering Shopify development services or working on custom Shopify projects development. You will learn how to:

  1. Verify Shopify webhook requests using HMAC.

  2. Process webhook events asynchronously with a message queue for reliable and scalable background handling.

Step 1: Create and Register a Webhook

You can register a webhook through the Shopify Admin API or from the Shopify Partner portal Dashboard.

Example: Register Webhook via Admin API

                                        POST /admin/api/2024-10/webhooks.json

Request Body:

                                        {
  "webhook": {
    "topic": "orders/create",
    "address": "https://yourapp.com/webhooks/orders-create",
    "format": "json"
  }
}

Permissions Required:

write_orders or the appropriate scope for the event you are listening to.

Pro Tip for Shopify website development: Always ensure the webhook URL uses HTTPS to securely receive Shopify events.

Step 2: Verify HMAC Signature

Every webhook request sent by Shopify includes a header named:

                                        X-Shopify-Hmac-Sha256

This signature verifies that the request comes from Shopify. You need to generate an HMAC on your server using your app’s shared secret and compare it with Shopify’s header.

Node.js Example (Express)

                                        import crypto from "crypto";
import express from "express";

const app = express();
app.use(express.json({ type: 'application/json' }));

app.post("/webhooks/orders-create", (req, res) => {
  const hmacHeader = req.get("X-Shopify-Hmac-Sha256");
  const body = JSON.stringify(req.body);

  const hash = crypto
    .createHmac("sha256", process.env.SHOPIFY_API_SECRET)
    .update(body, "utf8")
    .digest("base64");

  if (hash === hmacHeader) {
    console.log("✅ HMAC verified - webhook is from Shopify");
    // Push job to queue
    enqueueJob("orders_create", req.body);
    res.status(200).send("OK");
  } else {
    console.error("❌ HMAC verification failed");
    res.status(401).send("Unauthorized");
  }
});

Important: For custom Shopify web development, always compare the computed and received HMAC using a constant-time comparison to prevent timing attacks.

Step 3: Queue Processing for Scalability

Processing webhooks synchronously can delay Shopify’s response, causing retries.

Using a queue system like BullMQ, RabbitMQ, or AWS SQS for background processing is considered best practice. This approach is a hallmark of high-quality Shopify web development services.

Recommended Workflow:

  1. Receive webhook → verify HMAC

  2. Immediately acknowledge the request with 200 OK

  3. Push the job to a queue for background processing

  4. The worker service processes the job asynchronously

Example using BullMQ (Redis Queue)

Queue Setup:

                                        import { Queue } from "bullmq";
import { redisConfig } from "./config.js";

export const webhookQueue = new Queue("webhookQueue", {
  connection: redisConfig,
});

Enqueue Job:

                                        function enqueueJob(type, payload) {
  webhookQueue.add(type, payload);
}

Worker Processing:

                                        import { Worker } from "bullmq";
import { redisConfig } from "./config.js";

const worker = new Worker(
  "webhookQueue",
  async (job) => {
    if (job.name === "orders_create") {
      console.log("Processing order webhook:", job.data);
      // Perform database updates, API calls, etc.
    }
  },
  { connection: redisConfig }
);

Using queues is a vital aspect of Shopify web development for creating scalable and reliable systems apps.

Step 4: Responding to Shopify

Shopify expects a 200 OK response within 5 seconds of sending the request webhook.

If your app takes longer or fails HMAC verification, Shopify retries the webhook with exponential backoff.

Best Practice for Shopify website development:

Verify HMAC → Queue → Respond immediately
Don’t perform lengthy database operations within the webhook route.

Step 5: Handling Webhook Retries

Shopify retries failed webhooks for up to 48 hours to ensure idempotency:

  • Track webhook delivery IDs using the header.

                                        X-Shopify-Webhook-Id

  • Avoid processing duplicates in your queue or database.

When you hire a Shopify developer, make sure they implement idempotent webhook handling for reliability.

Example Architecture

                                        Shopify → /webhooks/orders-create → Verify HMAC → Add to Queue → Worker → Database/API

Tools & Libraries

  • Queue System: BullMQ / RabbitMQ / AWS SQS
  • Web Server: Express / Fastify
  • Crypto: Node.js crypto module
  • Database: Prisma / MongoDB / PostgreSQL

Example .env Configuration

                                        SHOPIFY_API_SECRET=shpss_xxxxxxxxxxxxxxxxxxxxx
REDIS_URL=redis://localhost:6379
PORT=3000

Best Practices

  • Always verify HMAC before accepting a webhook data.
  • Use asynchronous processing through queues reliability.
  • Log all webhook attempts for debugging.
  • Respond quickly to avoid retries.
  • Implement idempotent job handling.
  • Follow best practices in Shopify web development company to build scalable and secure solutions.

Whether you are developing a Shopify website yourself or hire Shopify developer, these steps ensure your app handles webhooks efficiently and securely.

Final Words

Following this approach in Shopify web development helps ensure that webhooks are handled securely, efficiently, and at scale. Whether you are developing custom Shopify solutions or hiring a Shopify developer, implementing HMAC verification and queue-based processing is crucial for a strong e-commerce platform system.

For businesses looking for Shopify web development services, adopting this architecture ensures dependable webhook handling, decreases failures, and enhances overall store automation.

Tech Stack & Version

Frontend

  • React.js
  • Next.js
  • Shopify Polaris
  • Tailwind CSS

Backend

  • Node.js (Express or NestJS)
  • MongoDB / PostgreSQL
  • BullMQ (Redis)
  • Prisma ORM

Deployment

  • AWS (EC2 / Lambda)
  • Vercel
  • Docker
  • GitHub Actions (CI/CD)

Recent Scripts

Website Development

Razorpay Payment Webhook: A Complete Guide

Author by Tarun C. April 10, 2026 4 minute read

<p dir="ltr">Razorpay webhooks notify your server immediately of payment events, allowing secure, real-time updates and automatic transaction recording in your database.</p> <p>&nbsp;</p>

PHP
Website Development

Image Upload with Fixed Dimensions in ReactJS

Author by Parveen April 6, 2026 4 minute read

<p>Over 70% of web apps use client-side image processing to ensure consistent UI, faster load times, and optimized performance with fixed dimensions in ReactJS.</p>

Website Development

Shopify Draft Orders: Convert Quotes into Paid Orders

Author by Bobin S. April 2, 2026 3 minute read

<p>Convert quotes into paid orders using Shopify Draft Orders. Create custom pricing, send invoices, automate workflows, and boost order conversion rates.</p>