Stats

Actions

Tags

Help us improve

Share bugs, ideas, or general feedback.

shopify-webhooks | shopify-commerce

Skill

shopify-webhooks

From shopify-commerce

Implements Shopify webhooks with HTTP/GraphQL, EventBridge, Pub/Sub, SQS subscriptions; HMAC verification, GDPR webhooks, retries, idempotency for event-driven integrations.

api-development

$

npx claudepluginhub orcaqubits/agentic-commerce-skills-plugins --plugin shopify-commerce

Popularity

Parent stars

29

Parent forks

13

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/shopify-commerce:shopify-webhooks

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

ReadWriteEditBashGrepGlobWebSearchWebFetch

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

**Fetch live docs**:

SKILL.md

146 lines · ~1k tokens

Similar Skills

shopify-webhooks-events

2.2k

Registers Shopify webhooks via GraphQL, configures GDPR subscriptions in shopify.app.toml, and implements handlers with HMAC verification for events and App Store compliance.

4 tools

bc-webhooks

29

Implements BigCommerce webhooks: manage store events like orders/products/customers, handle/verify payloads, add retry logic for real-time integrations.

8 tools

bigcommerce-commerce

shopify-apps

40.4k

Provides expert patterns for Shopify app development including Remix/React Router setup, embedded apps with App Bridge, webhook handling, GraphQL Admin API, Polaris components, billing, and app extensions.

antigravity-awesome-skills

Stats

LanguagePython

Parent stars29

Parent forks13

MaintenanceGood

Last CommitMar 25, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

shopify-webhooks

hmac-verification

Help us improve

Share bugs, ideas, or general feedback.

Shopify Webhooks

Before writing code

Fetch live docs:

Web-search site:shopify.dev webhooks for webhook overview
Web-search site:shopify.dev webhook topics for available event topics
Web-search site:shopify.dev gdpr mandatory webhooks for GDPR requirements

Subscription Methods

HTTP (Default)

Shopify POSTs JSON to your endpoint:

Set up via GraphQL: webhookSubscriptionCreate
Verify with HMAC-SHA256

Amazon EventBridge

For AWS-based architectures:

Events delivered to EventBridge partner event source
Automatic retries and dead-letter queues
Set up via Partner event source ARN

Google Cloud Pub/Sub

For GCP-based architectures:

Events published to Pub/Sub topic
Topic must grant Shopify publish access

Amazon SQS

For queue-based processing:

Events delivered directly to SQS queue

HMAC Verification

Every HTTP webhook includes X-Shopify-Hmac-SHA256 header:

import crypto from 'crypto';

function verifyWebhook(body: string, hmacHeader: string, secret: string): boolean {
  const hash = crypto
    .createHmac('sha256', secret)
    .update(body, 'utf8')
    .digest('base64');
  return crypto.timingSafeEqual(
    Buffer.from(hash),
    Buffer.from(hmacHeader),
  );
}

Always verify HMAC before processing — reject unverified webhooks with 401.

Webhook Topics

Orders

orders/create, orders/updated, orders/paid, orders/fulfilled, orders/cancelled, orders/delete

Products

products/create, products/update, products/delete

Customers

customers/create, customers/update, customers/delete

Cart

carts/create, carts/update

Checkout

checkouts/create, checkouts/update

Inventory

inventory_levels/update, inventory_items/update

Fulfillments

fulfillments/create, fulfillments/update

Refunds

refunds/create

Mandatory GDPR Webhooks

Every Shopify app MUST implement these three webhooks:

customers/data_request — customer requests their data (data portability)
customers/redact — customer requests data deletion
shop/redact — store uninstalls your app, delete all store data within 48 hours

Failure to implement these can result in app rejection or removal from the App Store.

Retry Policy

Shopify retries failed deliveries (non-2xx responses)
Up to 8 retries over 4 hours with exponential backoff
Retried webhooks maintain the original payload from when triggered
Use X-Shopify-Triggered-At header to detect stale payloads
After all retries fail, the webhook subscription may be removed
Check webhook delivery status via webhookSubscriptions query

Subscribing via GraphQL

mutation WebhookSubscriptionCreate {
  webhookSubscriptionCreate(
    topic: ORDERS_CREATE
    webhookSubscription: {
      callbackUrl: "https://your-app.com/webhooks/orders"
      format: JSON
    }
  ) {
    webhookSubscription {
      id
      topic
      endpoint {
        ... on WebhookHttpEndpoint {
          callbackUrl
        }
      }
    }
    userErrors { field message }
  }
}

Best Practices

Always verify HMAC before processing
Respond with 200 immediately, then process asynchronously
Implement idempotency — webhooks may be delivered more than once
Use the webhook ID (X-Shopify-Webhook-Id header) for deduplication
Implement all three mandatory GDPR webhooks
Handle webhook subscription failures — re-subscribe if delivery fails repeatedly
Use EventBridge/Pub/Sub/SQS for high-volume scenarios
Log webhook deliveries for debugging (but never log sensitive customer data)
Version your webhook handler to handle schema changes across API versions

Fetch the Shopify webhook documentation for exact topic names, payload schemas, and subscription patterns before implementing.