{"id":105274,"date":"2017-12-22T07:37:18","date_gmt":"2017-12-22T07:37:18","guid":{"rendered":"https:\/\/webkul.com\/blog\/?p=105274"},"modified":"2017-12-22T08:02:39","modified_gmt":"2017-12-22T08:02:39","slug":"hmac-validation-shopify-app","status":"publish","type":"post","link":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/","title":{"rendered":"Hmac validation in shopify app"},"content":{"rendered":"<h3><\/h3>\n<h4><strong>Authorisation in shopify app<\/strong><\/h4>\n<p>Shopify app requires store&#8217;s data but first it has to go through authorisation process.<\/p>\n<p>shopify uses OAuth 2.0 for authorisation.<\/p>\n<p>Every request from app is validated at shopify end.\u00a0Similary every request or redirect from shopify must be validated by app server for proper verification.<\/p>\n<p>for this shopify provides a hmac parameter along with other parameters.<\/p>\n<h4><strong>What is hmac<\/strong><\/h4>\n<p>hash message authentication code is calculated hash\u00a0value of all the parameters sent by the shopify .<\/p>\n<h4><strong>How\u00a0hmac validation can be done<\/strong><\/h4>\n<p>hmac can be calculated in any programming language using sha256 cryptographic algorithm.<\/p>\n<p>However the doc for hmac verification is provided by shopify but still there is confusion among app developers how to implement it correctly.<\/p>\n<p>&nbsp;<\/p>\n<p>Step:1<\/p>\n<p>First we need to get the parameters except hmac parameter.<\/p>\n<p>Note: we need all the parameters sent by shopify server.<\/p>\n<p>&nbsp;<\/p>\n<p>Step:2<\/p>\n<p>keys and values must be checked for &amp; an % characters if found then it should be replaced by %25 and %26\u00a0respectively .<\/p>\n<p>if key contains = character then it should be replaced by %3d which is\u00a0nothing but utf-8 value of the character.<\/p>\n<p>&nbsp;<\/p>\n<p>Step:3<\/p>\n<p>Then build a string in which key and value are joined together using = character and such key and value pair joined by &amp; sign .<\/p>\n<p>&nbsp;<\/p>\n<p>Step:4<\/p>\n<p>Finally we need to calculate \u00a0hmac-sha256 hash using &#8216;app-secret-key&#8217; as the key .<\/p>\n<p>the calculated hash digest can be checked with hmac value as provided by the shopify.<\/p>\n<p>&nbsp;<\/p>\n<p>Here is the code in php for hmac verification.<\/p>\n<pre class=\"brush:php\">\r\n&lt;?php\r\n\r\nfunction verifyHmac()\r\n{\r\n  $ar= [];\r\n  $hmac = $_GET['hmac'];\r\n  unset($_GET['hmac']);\r\n\r\n  foreach($_GET as $key=&gt;$value){\r\n\r\n    $key=str_replace(\"%\",\"%25\",$key);\r\n    $key=str_replace(\"&amp;\",\"%26\",$key);\r\n    $key=str_replace(\"=\",\"%3D\",$key);\r\n    $value=str_replace(\"%\",\"%25\",$value);\r\n    $value=str_replace(\"&amp;\",\"%26\",$value);\r\n    \r\n    $ar[] = $key.\"=\".$value;\r\n  }\r\n\r\n  $str = join('&amp;',$ar);\r\n  $ver_hmac =  hash_hmac('sha256',$str,\"YOUR-APP-SECRET-KEY\",false);\r\n\r\n  if($ver_hmac==$hmac)\r\n  {\r\n    echo 'hmac verified';\r\n  }\r\n\r\n}\r\n?&gt;<\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authorisation in shopify app Shopify app requires store&#8217;s data but first it has to go through authorisation process. shopify uses OAuth 2.0 for authorisation. Every request from app is validated at shopify end.\u00a0Similary every request or redirect from shopify must be validated by app server for proper verification. for this shopify provides a hmac parameter <a href=\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/\">[&#8230;]<\/a><\/p>\n","protected":false},"author":168,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[841],"tags":[],"class_list":["post-105274","post","type-post","status-publish","format-standard","hentry","category-shopify"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Hmac validation in shopify app - Webkul Blog<\/title>\n<meta name=\"description\" content=\"hmac validation shopify , authorisation shopify app\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hmac validation in shopify app - Webkul Blog\" \/>\n<meta property=\"og:description\" content=\"hmac validation shopify , authorisation shopify app\" \/>\n<meta property=\"og:url\" content=\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/\" \/>\n<meta property=\"og:site_name\" content=\"Webkul Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/webkul\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-12-22T07:37:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-12-22T08:02:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-og.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sanjay Rawat\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@webkul\" \/>\n<meta name=\"twitter:site\" content=\"@webkul\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sanjay Rawat\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/\"},\"author\":{\"name\":\"Sanjay Rawat\",\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/person\/b6f73b45ff5b7987074d97033790db98\"},\"headline\":\"Hmac validation in shopify app\",\"datePublished\":\"2017-12-22T07:37:18+00:00\",\"dateModified\":\"2017-12-22T08:02:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/\"},\"wordCount\":254,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/webkul.com\/blog\/#organization\"},\"articleSection\":[\"Shopify\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/\",\"url\":\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/\",\"name\":\"Hmac validation in shopify app - Webkul Blog\",\"isPartOf\":{\"@id\":\"https:\/\/webkul.com\/blog\/#website\"},\"datePublished\":\"2017-12-22T07:37:18+00:00\",\"dateModified\":\"2017-12-22T08:02:39+00:00\",\"description\":\"hmac validation shopify , authorisation shopify app\",\"breadcrumb\":{\"@id\":\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/webkul.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hmac validation in shopify app\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/webkul.com\/blog\/#website\",\"url\":\"https:\/\/webkul.com\/blog\/\",\"name\":\"Webkul Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/webkul.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/webkul.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/webkul.com\/blog\/#organization\",\"name\":\"WebKul Software Private Limited\",\"url\":\"https:\/\/webkul.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-logo-accent-sq.png\",\"contentUrl\":\"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-logo-accent-sq.png\",\"width\":380,\"height\":380,\"caption\":\"WebKul Software Private Limited\"},\"image\":{\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/webkul\/\",\"https:\/\/x.com\/webkul\",\"https:\/\/www.instagram.com\/webkul\/\",\"https:\/\/www.linkedin.com\/company\/webkul\",\"https:\/\/www.youtube.com\/user\/webkul\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/person\/b6f73b45ff5b7987074d97033790db98\",\"name\":\"Sanjay Rawat\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/webkul.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6fe1c4c3a00f17253fff5953d82c1cda25621bab1d564e9ed95efc502f67e036?s=96&d=https%3A%2F%2Fcdnblog.webkul.com%2Fblog%2Fwp-content%2Fuploads%2F2019%2F10%2Fmike.png&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6fe1c4c3a00f17253fff5953d82c1cda25621bab1d564e9ed95efc502f67e036?s=96&d=https%3A%2F%2Fcdnblog.webkul.com%2Fblog%2Fwp-content%2Fuploads%2F2019%2F10%2Fmike.png&r=g\",\"caption\":\"Sanjay Rawat\"},\"url\":\"https:\/\/webkul.com\/blog\/author\/sanjay085\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hmac validation in shopify app - Webkul Blog","description":"hmac validation shopify , authorisation shopify app","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/","og_locale":"en_US","og_type":"article","og_title":"Hmac validation in shopify app - Webkul Blog","og_description":"hmac validation shopify , authorisation shopify app","og_url":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/","og_site_name":"Webkul Blog","article_publisher":"https:\/\/www.facebook.com\/webkul\/","article_published_time":"2017-12-22T07:37:18+00:00","article_modified_time":"2017-12-22T08:02:39+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-og.png","type":"image\/png"}],"author":"Sanjay Rawat","twitter_card":"summary_large_image","twitter_creator":"@webkul","twitter_site":"@webkul","twitter_misc":{"Written by":"Sanjay Rawat","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/#article","isPartOf":{"@id":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/"},"author":{"name":"Sanjay Rawat","@id":"https:\/\/webkul.com\/blog\/#\/schema\/person\/b6f73b45ff5b7987074d97033790db98"},"headline":"Hmac validation in shopify app","datePublished":"2017-12-22T07:37:18+00:00","dateModified":"2017-12-22T08:02:39+00:00","mainEntityOfPage":{"@id":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/"},"wordCount":254,"commentCount":0,"publisher":{"@id":"https:\/\/webkul.com\/blog\/#organization"},"articleSection":["Shopify"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/","url":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/","name":"Hmac validation in shopify app - Webkul Blog","isPartOf":{"@id":"https:\/\/webkul.com\/blog\/#website"},"datePublished":"2017-12-22T07:37:18+00:00","dateModified":"2017-12-22T08:02:39+00:00","description":"hmac validation shopify , authorisation shopify app","breadcrumb":{"@id":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/webkul.com\/blog\/hmac-validation-shopify-app\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/webkul.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Hmac validation in shopify app"}]},{"@type":"WebSite","@id":"https:\/\/webkul.com\/blog\/#website","url":"https:\/\/webkul.com\/blog\/","name":"Webkul Blog","description":"","publisher":{"@id":"https:\/\/webkul.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/webkul.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/webkul.com\/blog\/#organization","name":"WebKul Software Private Limited","url":"https:\/\/webkul.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/webkul.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-logo-accent-sq.png","contentUrl":"https:\/\/cdnblog.webkul.com\/blog\/wp-content\/uploads\/2021\/08\/webkul-logo-accent-sq.png","width":380,"height":380,"caption":"WebKul Software Private Limited"},"image":{"@id":"https:\/\/webkul.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/webkul\/","https:\/\/x.com\/webkul","https:\/\/www.instagram.com\/webkul\/","https:\/\/www.linkedin.com\/company\/webkul","https:\/\/www.youtube.com\/user\/webkul\/"]},{"@type":"Person","@id":"https:\/\/webkul.com\/blog\/#\/schema\/person\/b6f73b45ff5b7987074d97033790db98","name":"Sanjay Rawat","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/webkul.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6fe1c4c3a00f17253fff5953d82c1cda25621bab1d564e9ed95efc502f67e036?s=96&d=https%3A%2F%2Fcdnblog.webkul.com%2Fblog%2Fwp-content%2Fuploads%2F2019%2F10%2Fmike.png&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6fe1c4c3a00f17253fff5953d82c1cda25621bab1d564e9ed95efc502f67e036?s=96&d=https%3A%2F%2Fcdnblog.webkul.com%2Fblog%2Fwp-content%2Fuploads%2F2019%2F10%2Fmike.png&r=g","caption":"Sanjay Rawat"},"url":"https:\/\/webkul.com\/blog\/author\/sanjay085\/"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/posts\/105274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/users\/168"}],"replies":[{"embeddable":true,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/comments?post=105274"}],"version-history":[{"count":15,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/posts\/105274\/revisions"}],"predecessor-version":[{"id":105790,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/posts\/105274\/revisions\/105790"}],"wp:attachment":[{"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/media?parent=105274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/categories?post=105274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webkul.com\/blog\/wp-json\/wp\/v2\/tags?post=105274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}