Menu Close
    Start a Project Request quote Reading list Switch to dark mode

    Hmac validation in shopify app

    Authorisation in shopify app

    Shopify app requires store’s data but first it has to go through authorisation process.

    shopify uses OAuth 2.0 for authorisation.

    Every request from app is validated at shopify end. Similary every request or redirect from shopify must be validated by app server for proper verification.

    for this shopify provides a hmac parameter along with other parameters.

    What is hmac

    hash message authentication code is calculated hash value of all the parameters sent by the shopify .

    How hmac validation can be done

    hmac can be calculated in any programming language using sha256 cryptographic algorithm.

    However the doc for hmac verification is provided by shopify but still there is confusion among app developers how to implement it correctly.



    First we need to get the parameters except hmac parameter.

    Note: we need all the parameters sent by shopify server.



    keys and values must be checked for & an % characters if found then it should be replaced by %25 and %26 respectively .

    if key contains = character then it should be replaced by %3d which is nothing but utf-8 value of the character.



    Then build a string in which key and value are joined together using = character and such key and value pair joined by & sign .



    Finally we need to calculate  hmac-sha256 hash using ‘app-secret-key’ as the key .

    the calculated hash digest can be checked with hmac value as provided by the shopify.


    Here is the code in php for hmac verification.


    . . .


    Add Your Comment

    Be the first to comment.

    Back to Top
    Hire Us!
    Brief us about your requirements and we'll get back to you.
    Woo! Hooy!
    We have just recieved your project brief and our expert will contact you shortly.
    Send Again