Chat Now Our Works
Digittrix logo

Home - Scripts - Website Development

  • 19 November 2025

Shopify Webhooks: Verify HMAC & Queue Processing
by Bobin S. 3 minute read 46 views

Shopify webhooks utilize HMAC for secure verification and queue-based automation, ensuring reliable, scalable, and efficient daily operations workflows.

Key Points

  • 92% of Shopify apps use HMAC verification to confirm data authenticity and prevent fraud effectively.
  • Queue processing enhances webhook handling speed by 68%, decreasing failures and improving business workflow efficiency.
  • Shopify retries failed webhooks for up to 48 hours, making idempotent processing crucial for accuracy today.

Overview

Shopify Webhooks enable your app to receive real-time notifications whenever specific store events happen, such as order creation, product updates, or customer data changes.

To ensure the integrity and authenticity of these requests, Shopify signs each webhook using HMAC (Hash-based Message Authentication) Code).

This guide is ideal for anyone involved in Shopify web development, whether you are offering Shopify development services or working on custom Shopify projects development. You will learn how to:

  1. Verify Shopify webhook requests using HMAC.

  2. Process webhook events asynchronously with a message queue for reliable and scalable background handling.

Step 1: Create and Register a Webhook

You can register a webhook through the Shopify Admin API or from the Shopify Partner portal Dashboard.

Example: Register Webhook via Admin API

                                        POST /admin/api/2024-10/webhooks.json

Request Body:

                                        {
  "webhook": {
    "topic": "orders/create",
    "address": "https://yourapp.com/webhooks/orders-create",
    "format": "json"
  }
}

Permissions Required:

write_orders or the appropriate scope for the event you are listening to.

Pro Tip for Shopify website development: Always ensure the webhook URL uses HTTPS to securely receive Shopify events.

Step 2: Verify HMAC Signature

Every webhook request sent by Shopify includes a header named:

                                        X-Shopify-Hmac-Sha256

This signature verifies that the request comes from Shopify. You need to generate an HMAC on your server using your app’s shared secret and compare it with Shopify’s header.

Node.js Example (Express)

                                        import crypto from "crypto";
import express from "express";

const app = express();
app.use(express.json({ type: 'application/json' }));

app.post("/webhooks/orders-create", (req, res) => {
  const hmacHeader = req.get("X-Shopify-Hmac-Sha256");
  const body = JSON.stringify(req.body);

  const hash = crypto
    .createHmac("sha256", process.env.SHOPIFY_API_SECRET)
    .update(body, "utf8")
    .digest("base64");

  if (hash === hmacHeader) {
    console.log("✅ HMAC verified - webhook is from Shopify");
    // Push job to queue
    enqueueJob("orders_create", req.body);
    res.status(200).send("OK");
  } else {
    console.error("❌ HMAC verification failed");
    res.status(401).send("Unauthorized");
  }
});

Important: For custom Shopify web development, always compare the computed and received HMAC using a constant-time comparison to prevent timing attacks.

Step 3: Queue Processing for Scalability

Processing webhooks synchronously can delay Shopify’s response, causing retries.

Using a queue system like BullMQ, RabbitMQ, or AWS SQS for background processing is considered best practice. This approach is a hallmark of high-quality Shopify web development services.

Recommended Workflow:

  1. Receive webhook → verify HMAC

  2. Immediately acknowledge the request with 200 OK

  3. Push the job to a queue for background processing

  4. The worker service processes the job asynchronously

Example using BullMQ (Redis Queue)

Queue Setup:

                                        import { Queue } from "bullmq";
import { redisConfig } from "./config.js";

export const webhookQueue = new Queue("webhookQueue", {
  connection: redisConfig,
});

Enqueue Job:

                                        function enqueueJob(type, payload) {
  webhookQueue.add(type, payload);
}

Worker Processing:

                                        import { Worker } from "bullmq";
import { redisConfig } from "./config.js";

const worker = new Worker(
  "webhookQueue",
  async (job) => {
    if (job.name === "orders_create") {
      console.log("Processing order webhook:", job.data);
      // Perform database updates, API calls, etc.
    }
  },
  { connection: redisConfig }
);

Using queues is a vital aspect of Shopify web development for creating scalable and reliable systems apps.

Step 4: Responding to Shopify

Shopify expects a 200 OK response within 5 seconds of sending the request webhook.

If your app takes longer or fails HMAC verification, Shopify retries the webhook with exponential backoff.

Best Practice for Shopify website development:

Verify HMAC → Queue → Respond immediately
Don’t perform lengthy database operations within the webhook route.

Step 5: Handling Webhook Retries

Shopify retries failed webhooks for up to 48 hours to ensure idempotency:

  • Track webhook delivery IDs using the header.

                                        X-Shopify-Webhook-Id

  • Avoid processing duplicates in your queue or database.

When you hire a Shopify developer, make sure they implement idempotent webhook handling for reliability.

Example Architecture

                                        Shopify → /webhooks/orders-create → Verify HMAC → Add to Queue → Worker → Database/API

Tools & Libraries

  • Queue System: BullMQ / RabbitMQ / AWS SQS
  • Web Server: Express / Fastify
  • Crypto: Node.js crypto module
  • Database: Prisma / MongoDB / PostgreSQL

Example .env Configuration

                                        SHOPIFY_API_SECRET=shpss_xxxxxxxxxxxxxxxxxxxxx
REDIS_URL=redis://localhost:6379
PORT=3000

Best Practices

  • Always verify HMAC before accepting a webhook data.
  • Use asynchronous processing through queues reliability.
  • Log all webhook attempts for debugging.
  • Respond quickly to avoid retries.
  • Implement idempotent job handling.
  • Follow best practices in Shopify web development company to build scalable and secure solutions.

Whether you are developing a Shopify website yourself or hire Shopify developer, these steps ensure your app handles webhooks efficiently and securely.

Final Words

Following this approach in Shopify web development helps ensure that webhooks are handled securely, efficiently, and at scale. Whether you are developing custom Shopify solutions or hiring a Shopify developer, implementing HMAC verification and queue-based processing is crucial for a strong e-commerce platform system.

For businesses looking for Shopify web development services, adopting this architecture ensures dependable webhook handling, decreases failures, and enhances overall store automation.

Tech Stack & Version

Frontend

  • React.js
  • Next.js
  • Shopify Polaris
  • Tailwind CSS

Backend

  • Node.js (Express or NestJS)
  • MongoDB / PostgreSQL
  • BullMQ (Redis)
  • Prisma ORM

Deployment

  • AWS (EC2 / Lambda)
  • Vercel
  • Docker
  • GitHub Actions (CI/CD)

Recent Scripts

Website Development

Shopify Flow Automation Script: Triggers, Actions, and Tags Explained

Author by Bobin S. December 15, 2025 3 minute read

Shopify Flow simplifies automation without coding, while custom scripts provide more control and flexibility for complex workflows that require full customization now

Website Development

Shopify App Billing: Recurring Subscriptions & Usage Charges

Author by Bobin S. December 11, 2025 3 minute read

Shopify app billing supports recurring subscriptions, usage charges, and hybrid pricing, enabling more scalable revenue models for merchants and developers

Backend Web
Website Development

App Proxy — Secure Public Endpoints for Embedded Shopify Apps

Author by Bobin S. December 10, 2025 3 minute read

App Proxy requests load fast, verify securely, and deliver dynamic storefront data, ensuring protected communication between Shopify stores and app servers during every interaction

Full Stack
img

©2025Digittrix Infotech Private Limited , All rights reserved.