This week’s Building A Shopify app post is all about Shopify Webhooks. Webhooks provide a great way to keep a Shopify App in sync with changes that occur within a Shopify store.
In this post, I’ll cover:
Shopify Webhooks provide a way for an app to request to be notified of important changes that occur within a Shopify store. For example, this may include changes to Orders, Products and Customers, to name a few.
Shopify Webhooks provide the perfect complement to using the The Shopify API to obtain data.
The Shopify API uses a pull model. The client, such as a Shopify App, requests data directly.
Shopify Webhooks use a push model. The client subscribes to events and Shopify pushes the data directly to the client as they occur.
Shopify Webhooks have a few distinct advantages that make them the preferred approach for most of your Shopify App data needs:
Your app will most likely still require pulling data directly from the Shopify API as well. Using both Webhooks and the Shopify API can provide a powerful combination to obtain all of the data needed for your Shopify App.
This is the full list of available webhooks, as documented here:
To give you a concrete example, let’s take a look at how I will be using webhooks for my upcoming Best Sellers Shopify app.
My Best Sellers app will provide insights and visibility for the best selling products within a Shopify store. As a result, the app will need the following Order webhooks:
NOTE: Shopify currently does not allow editing orders so that is one use case that I do not need to support. Rumor has it this may be coming in the hopefully near future though.
In addition, here are a couple other common Shopify Webhooks most Shopify Apps may need:
Shopify Webhooks include a digital signature known as an HMAC to verify the integrity of incoming Webhook requests. The HMAC ensures the contents of the webhook request were not tampered with. This is possible because Shopify uses the combination of a shared secret key plus the contents of the request to build the HMAC.
If an attacker attempted to modify the request contents, the HMAC would no longer match, so the verification would fail. It is very important you verify the HMAC for every incoming webhook request or you may be susceptible to malicious attacks. For example, if a store uses an app to send Orders to a back-end order management system, an attacker could insert false Order data.
It may be tempting to skip this step, but you will leave yourself open to an easy attack vector since anyone could generate malicious callbacks.
See also: Verifying an HMAC example
Shopify includes a nice feature to make it easy to test your Webhooks. Within your store, you can manually create a Webhook (under Settings > Notifications). Then you can click the “Send test notification” link to have Shopify send you a test version of a Webhook callback:
See also: Using Webhooks
Here are a few other things I’d recommend you keep in mind while using Webhooks:
Shopify Webhooks are basically the information superhighway for sending data from Shopify to your Shopify App. They provide a nice way to make sure your app has up-to-date information based on changes that occur within a Shopify store.
In addition, since Shopify Webhooks do not cost you anything in terms of your Shopify API call limit, they should be favored as the main path for obtaining ongoing changes to Shopify store data versus the Shopify API.
It is worth repeating that when using Shopify Webhooks, it is important to always verify the HMAC of each request to secure your app from attempts to send malicious Webhook data.
If you have any additional questions, please let me know in the comments.