How to Test Shopify Webhooks: Complete Guide
How to inspect Shopify order and compliance webhooks, verify HMAC signatures, and catch the platform-specific details that matter in production.
Shopify Webhook Basics
Shopify uses webhooks for almost every store-side change that matters: orders, customers, products, refunds, inventory, and compliance events for apps. These events keep downstream systems in sync with the store.
Shopify also expects public apps to handle three compliance topics: customers/data_request, customers/redact, and shop/redact. Those are easy to forget until app review, so they are worth testing early.
Key Shopify Webhook Topics
| Topic | Trigger | Priority |
|---|---|---|
orders/create | New order placed | Critical |
orders/paid | Payment captured | Critical |
orders/fulfilled | Order fulfilled | High |
refunds/create | Refund issued | High |
products/update | Product modified | Medium |
customers/create | New customer | Medium |
inventory_levels/update | Stock changed | Medium |
Method 1: Capture with Requex.me
If your first goal is to inspect the payload Shopify sends, a temporary endpoint is usually the fastest way to get there:
- Visit requex.me and copy your unique webhook URL.
- Go to Shopify Admin → Settings → Notifications → Webhooks → Create webhook.
- Select the event (e.g., "Order creation"), set format to JSON, and paste your Requex URL.
- Click "Send test notification" to receive a sample payload instantly.
- Inspect the full JSON structure in your Requex dashboard.
Tip: Shopify's test notification is one of the better vendor-side test tools. The payload is usually close enough to production to build your parser and validation logic with confidence.
Method 2: Shopify CLI for Local Development
# Install Shopify CLI npm install -g @shopify/cli @shopify/app # Start your app with webhook forwarding shopify app dev # The CLI creates a tunnel and registers webhook subscriptions # Events will be forwarded to your local server automatically
The Shopify CLI handles tunneling, webhook registration, and OAuth automatically. It's the recommended approach for app development, though Requex.me is still useful for quick payload inspection without running a full app.
Shopify Webhook Verification (HMAC)
Shopify signs every webhook with your app's shared secret using HMAC-SHA256. The signature is sent in the X-Shopify-Hmac-SHA256 header as a Base64-encoded digest.
const crypto = require('crypto');
function verifyShopifyWebhook(rawBody, hmacHeader, secret) {
const generatedHash = crypto
.createHmac('sha256', secret)
.update(rawBody, 'utf8')
.digest('base64');
return crypto.timingSafeEqual(
Buffer.from(generatedHash),
Buffer.from(hmacHeader)
);
}
// Express.js middleware
app.post('/webhooks/shopify', express.raw({type: 'application/json'}), (req, res) => {
const hmac = req.headers['x-shopify-hmac-sha256'];
if (!verifyShopifyWebhook(req.body, hmac, process.env.SHOPIFY_WEBHOOK_SECRET)) {
return res.status(401).send('Unauthorized');
}
const topic = req.headers['x-shopify-topic']; // e.g., "orders/create"
const payload = JSON.parse(req.body);
switch(topic) {
case 'orders/create':
handleNewOrder(payload);
break;
case 'orders/paid':
handleOrderPaid(payload);
break;
}
res.status(200).send('OK');
});Shopify-Specific Considerations
Mandatory webhooks for apps
Apps must handle customers/data_request, customers/redact, and shop/redact. Test each of these explicitly: returning 200 isn't enough, Shopify tracks response content.
4-hour delivery window
Shopify retries failed webhooks 8 times over a 4-hour period with exponential backoff. After 8 consecutive failures, the webhook subscription is automatically disabled. Monitor your webhook health in the Shopify Admin.
5-second response time
Shopify expects your endpoint to respond within 5 seconds. If processing takes longer, return 200 OK immediately and handle the work asynchronously.
Start Testing Webhooks Now
Generate your unique URL and test webhooks instantly. Free, no signup.
Open Webhook Tester →