verifyShopifyHmac

tagtree · /shopify·function

Verifies a Shopify webhook HMAC signature using a constant-time byte comparison to guard against timing attacks.

Signature

@nordcom/commerce-tagtree
function verifyShopifyHmac(rawBody: string, headerHmac: string, secret: string): boolean;

Parameters

NameTypeDescription
rawBodystring
headerHmacstring
secretstring

Returns

true when the computed digest matches the header value; false when the header is absent, the byte lengths differ, or the digest does not match.

Example

const valid = verifyShopifyHmac(
    rawBody,
    request.headers.get('x-shopify-hmac-sha256'),
    process.env.SHOPIFY_WEBHOOK_SECRET!,
);
if (!valid) return new Response('Forbidden', { status: 403 });

ShopifyParseInput parseShopifyWebhook

Sourcehmac.ts:20Edit the JSDoc directly
MetadataOpen in GitHub ↗

ShopifyParseInput

Input bundle for that couples a tagtree CacheSchema to a single Shopify webhook event. Annotate the assembled payload with this type before calling parseShopify

test-convex

API reference for the root of @nordcom/commerce-test-convex.

On this page

SignatureParametersReturnsExampleRelated