How to Test Shopify Webhooks: Complete Guide

Why Shopify Webhooks are Essential for E-Commerce

Shopify webhooks are the foundation of e-commerce automation. Every significant event in your store — a new order, a product update, a customer registration, an inventory change — can trigger a webhook to your application. These webhooks power order management systems, email marketing tools, inventory sync, fulfillment services, and analytics platforms.

Missing or mishandling Shopify webhooks can have direct financial consequences. A missed orders/create webhook could mean an order goes unfulfilled. A failed refunds/create webhook could delay customer refund processing. An unhandled products/update webhook could leave your catalog out of sync across sales channels.

Thorough webhook testing during development ensures your integration handles every Shopify event correctly, from standard checkout flows to edge cases like partial refunds and variant updates.

Key Shopify Webhook Topics

Method 1: Capture with Requex.me

The fastest way to inspect Shopify webhook payloads:

1. Visit requex.me and copy your unique webhook URL.
2. Go to Shopify Admin → Settings → Notifications → Webhooks → Create webhook.
3. Select the event (e.g., "Order creation"), set format to JSON, and paste your Requex URL.
4. Click "Send test notification" to receive a sample payload instantly.
5. Inspect the full JSON structure in your Requex dashboard.

Method 2: Shopify CLI for Local Development

# Install Shopify CLI
npm install -g @shopify/cli @shopify/app

# Start your app with webhook forwarding
shopify app dev

# The CLI creates a tunnel and registers webhook subscriptions
# Events will be forwarded to your local server automatically

The Shopify CLI handles tunneling, webhook registration, and OAuth automatically. It's the recommended approach for app development, though Requex.me is still useful for quick payload inspection without running a full app.

Shopify Webhook Verification (HMAC)

Shopify signs every webhook with your app's shared secret using HMAC-SHA256. The signature is sent in the X-Shopify-Hmac-SHA256 header as a Base64-encoded digest.

const crypto = require('crypto');

function verifyShopifyWebhook(rawBody, hmacHeader, secret) {
  const generatedHash = crypto
    .createHmac('sha256', secret)
    .update(rawBody, 'utf8')
    .digest('base64');

  return crypto.timingSafeEqual(
    Buffer.from(generatedHash),
    Buffer.from(hmacHeader)
  );
}

// Express.js middleware
app.post('/webhooks/shopify', express.raw({type: 'application/json'}), (req, res) => {
  const hmac = req.headers['x-shopify-hmac-sha256'];

  if (!verifyShopifyWebhook(req.body, hmac, process.env.SHOPIFY_WEBHOOK_SECRET)) {
    return res.status(401).send('Unauthorized');
  }

  const topic = req.headers['x-shopify-topic']; // e.g., "orders/create"
  const payload = JSON.parse(req.body);

  switch(topic) {
    case 'orders/create':
      handleNewOrder(payload);
      break;
    case 'orders/paid':
      handleOrderPaid(payload);
      break;
  }

  res.status(200).send('OK');
});

Shopify-Specific Considerations