The Wonderful World of Shopify Webhooks
This week's Building A Shopify app post is all about Shopify Webhooks. Webhooks provide a great way to keep a Shopify App in sync with changes that occur within a Shopify store.
In this post, I'll cover:
- What are Shopify Webhooks?
- Why should you use Shopify Webhooks?
- What Shopify Webhooks are available?
- Securing Your Shopify Webhooks
- Testing Your Shopify Webhooks
- Additional Words of Webhook Wisdom
What are Shopify Webhooks?
Shopify Webhooks provide a way for an app to request to be notified of important changes that occur within a Shopify store. For example, this may include changes to Orders, Products and Customers, to name a few.
Shopify Webhooks provide the perfect complement to using the The Shopify API to obtain data.
The Shopify API uses a pull model. The client, such as a Shopify App, requests data directly.
Shopify Webhooks use a push model. The client subscribes to events and Shopify pushes the data directly to the client as they occur.
Why should you use Shopify Webhooks?
Shopify Webhooks have a few distinct advantages that make them the preferred approach for most of your Shopify App data needs:
- Changes are sent to you as they occur, so updates should be more timely than polling via the API.
- Shopify Webhooks will not use any of your precious Shopify API call limit
- Shopify Webhooks are more efficient since you only process things that changed vs grabbing everything via API calls.
Your app will most likely still require pulling data directly from the Shopify API as well. Using both Webhooks and the Shopify API can provide a powerful combination to obtain all of the data needed for your Shopify App.
What Shopify Webhooks are available?
This is the full list of available webhooks, as documented here:
To give you a concrete example, let's take a look at how I will be using webhooks for my upcoming Best Sellers Shopify app.
My Best Sellers app will provide insights and visibility for the best selling Shopify products within a store. As a result, the app will need the following Order webhooks:
- order/create - so new orders can be added to the best seller totals
- order/cancelled - so cancelled orders can be removed from the best seller totals
- order/delete - so deleted orders can be removed from the best seller totals
NOTE: Shopify currently does not allow editing orders so that is one use case that I do not need to support. Rumor has it this may be coming in the hopefully near future though.
In addition, here are a couple other common Shopify Webhooks most Shopify Apps may need:
- shop/update - this will send updated Shop data such as the contact info of the store owner, and other settings such as the domain and Shopify billing plan.
- app/uninstall - when a store uninstalls an app, this Webhook is how you will know so you can explicitly disable access.
Securing Your Shopify Webhooks
Shopify Webhooks include a digital signature known as an HMAC to verify the integrity of incoming Webhook requests. The HMAC ensures the contents of the webhook request were not tampered with. This is possible because Shopify uses the combination of a shared secret key plus the contents of the request to build the HMAC.
If an attacker attempted to modify the request contents, the HMAC would no longer match, so the verification would fail. It is very important you verify the HMAC for every incoming webhook request or you may be susceptible to malicious attacks. For example, if a store uses an app to send Orders to a back-end order management system, an attacker could insert false Order data.
It may be tempting to skip this step, but you will leave yourself open to an easy attack vector since anyone could generate malicious callbacks.
See also: Verifying an HMAC example
Testing Your Shopify Webhooks
Shopify includes a nice feature to make it easy to test your Webhooks. Within your store, you can manually create a Webhook (under Settings > Notifications). Then you can click the "Send test notification" link to have Shopify send you a test version of a Webhook callback:
See also: Using Webhooks
Additional Words of Webhook Wisdom
Here are a few other things I'd recommend you keep in mind while using Webhooks:
- Don't do too much during the Webhook callback. If you take too long the request may time-out and Shopify will re-send the Webhook again.
- Make it easy to recreate all Webhooks via the Webhooks API. This is helpful during the app install. Also, if your app goes down for more than 48 hours Shopify will cancel your Webhooks.
- Make it easy to manually update data that is normally updated via Webhooks. You will most likely need to re-process data at some point by calling into the Shopify API. If you set things up to be flexible, you should be able to re-use the same code path.
Shopify Webhooks are basically the information superhighway for sending data from Shopify to your Shopify App. They provide a nice way to make sure your app has up-to-date information based on changes that occur within a Shopify store.
In addition, since Shopify Webhooks do not cost you anything in terms of your Shopify API call limit, they should be favored as the main path for obtaining ongoing changes to Shopify store data versus the Shopify API.
It is worth repeating that when using Shopify Webhooks, it is important to always verify the HMAC of each request to secure your app from attempts to send malicious Webhook data.
If you have any additional questions, please let me know in the comments.