Hi all - I wanted to post a little example of how I am validating my webhooks for a django app in the event it's useful.
import hashlib,base64,hmac
def is_shopify_hmac(data,secret,headerval):
''' Validates the HMAC signature from shopify. If not there, deny request.'''
hm =
hmac.new(secret,data,hashlib.sha256)
hm_digest_verify = base64.b64encode(hm.digest())
if hm_digest_verify != headerval:
return False
else:
return True
the arguments are:
data -> post body data
secret -> shared secret
headerval -> the HMAC header value from the X-Shopify-Hmac-Sha256 header.
Hope it's useful for someone, seems to work for me :)
--Matt