Reading list Switch to dark mode

    Webhook: Multi-Vendor Marketplace for Shopify

    How to register webhooks within Multivendor Marketplace App for Shopify?

    In Web Development, webhook is a method of adding or changing the behavior of a web page or web application with custom callbacks. The callbacks may be maintained, modified, and managed by third-party users and developers. Wikipedia

    After configuration, the events that you specify will trigger a webhook notification each time they occur. For example, the products/create webhook includes the following headers:

    • X-MVM-API-Hmac-Sha256: XWmrwMey6OsLMeiZKwP4FppHH3cmAiiJJAweH5Jo4bM=
    • X-MVM-API-Topic: products/create
    • X-MVM-API-Shop-Name:
    • X-MVM-API-Sid: 101

    How to Register Webhooks?

    Firstly, visit the feature app section and then you need to enable the Multivendor API add-on. This feature has an additional charge of USD 15 per month over and above your current multivendor plan.

    Searching for a Shopify
    Headless solution ?
    Read More

    Next, enter the webhook details you want to register. After this check the Webhook Topics, enter URL and save.


    The admin can also register Webhooks for individual sellers. For this, visit Multivendor Admin Panel > Sellers > Seller Listing > Edit Seller:

    registered webhooks

    Similarly, enter the details for the Webhooks you want to register:



    • You need to register the webhook via Multivendor Admin Dashboard and it cannot be done using API.


    Payloads contain a JSON object with the data for the webhook event. Also, the contents and structure of each payload varies depending upon the specified event.

    Receiving a webhook

    After registering a webhook URL, Multivendor app issues an HTTP POST request to the URL specified every time that event occurs.

    Moreover, the request’s POST parameters contain JSON data relevant to the event that triggered the request.

    Responding to a webhook

    Your webhook acknowledges that it received data by sending a 200 OK response. In case of any response outside of the 200 range, having 3XX HTTP codes, shows that you did not receive the webhook.


    The multivendor app has implemented a 60 seconds timeout period and a retry period for subscriptions. Further, the app waits 20 seconds for a response to each request to a webhook. If there is no response, or an error is returned. The multivendor app retries the connection 19 times over the next 20 minutes. If there are 19 consecutive failures, then the webhook subscription is automatically deleted.

    Verifying webhooks

    Webhooks created through the API are verified by calculating a digital signature. Each webhook request includes a base64-encoded X-MVM-API-Hmac-Sha256 header, which is generated using your access_token along with the data sent in the request.

    To verify that the request came from the multivendor app, compute the HMAC digest according to the following algorithm . Compare it to the value in the X-MVM-API-Hmac-Sha256 header. If they match, then you can be sure that the webhook was sent from the multivendor app.


    define('MVM_ACCESS_TOKEN', 'my_access_token');
    function verify_webhook($data, $hmac_header)
    $calculated_hmac = base64_encode(hash_hmac('sha256', $data, MVM_ACCESS_TOKEN, true));
    return hash_equals($hmac_header, $calculated_hmac);
    $headers = getallheaders();
    $hmac_header = $headers['X-MVM-API-Hmac-Sha256'];
    $data = file_get_contents('php://input');
    $verified = verify_webhook($data, $hmac_header);
    error_log('Webhook verified: '.var_export($verified, true)); //check error.log to see the result

    Webhook verification in node.js

    verifyHmac(req, res) {
       const crypto = require('crypto');
       const mvm_access_token = 'MVM_ACCESS_TOKEN';
       const hmac_header = req.headers['x-mvm-api-hmac-sha256'];
       let data = '';
       req.on('data', (chunk) => {
          data = data + chunk;
       req.on('end', () => {
          const verified = verifyWebhook(data, hmac_header);
          console.log(verified) // check console log for verified 
       function verifyWebhook(data, hmac_header) {
          let calculated_hmac = crypto.createHmac('sha256',              
          return calculated_hmac == hmac_header

    If you have any issues, please drop an email at [email protected] . You can also create a ticket at  Webkul UV Desk.

    . . .
    Add a comment

    Leave a Comment

    Your email address will not be published. Required fields are marked*

    Be the first to comment.

    Back to Top
    Great solution and the techs are very knowledgeable and helpful. Especially Nishi and Abhishek.
    Ann Beattie
    Senior Salesforce Consultant
    Talk to Sales


    Live Chat

    Message Sent!

    If you have more details or questions, you can reply to the received confirmation email.

    Back to Home

    Table of Content