- Home
- Skills
- Toilahuongg
- Shopify Agents Kit
- Shopify Webhooks
shopify-webhooks_skill
- HTML
6
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill toilahuongg/shopify-agents-kit --skill shopify-webhooks- SKILL.md4.3 KB
Overview
This skill guides you through configuring, verifying, and processing Shopify webhooks so your app stays in sync with store events. It covers secure HMAC verification, registration options (app-configured and shop-specific), mandatory GDPR webhooks, and practical processing guidelines. Use it to implement reliable, compliant webhook handling for real-time Shopify notifications.
How this skill works
The skill explains how to verify incoming webhook requests using the X-Shopify-Hmac-Sha256 header and your API secret, emphasizing use of the raw request body for HMAC computation. It shows automatic verification options for common frameworks and how to register subscriptions either via a deployment config (recommended) or the Admin API for per-shop cases. It also describes required GDPR webhooks and how to respond quickly while delegating long work to background jobs.
When to use it
- Setting up initial webhook subscriptions for your Shopify app
- Verifying webhook request authenticity to prevent spoofing
- Implementing app uninstall and GDPR-compliance handlers
- Registering per-shop or dynamic runtime subscriptions
- Designing idempotent processing and async handling for events
Best practices
- Always verify requests using HMAC-SHA256 against the raw request body and your API secret
- Respond with 200 OK within 5 seconds; perform heavy work asynchronously (queues, workers)
- Make processing idempotent to handle duplicate deliveries safely
- Handle app/uninstalled to remove shop data and cancel subscriptions
- Register app-level webhooks via configuration for consistent deployment; use Admin API for dynamic, per-shop needs
Example use cases
- Automatically clean up shop records and tokens when APP_UNINSTALLED arrives
- Queue order processing and fulfillment when ORDERS_CREATE is received
- Update product caches or search indexes on PRODUCTS_UPDATE events
- Expose customers/data_request and customers/redact endpoints to meet GDPR obligations
- Create per-shop webhooks via the Admin API for custom store-level integrations
FAQ
Shopify sends X-Shopify-Hmac-Sha256 which is a base64 HMAC-SHA256 digest of the raw request body signed with your API secret.
Should I parse the request body before verification?
No. Always use the raw request body (bytes/Buffer) for HMAC verification; parsing can alter formatting and break the signature check.