Securing mandatory webhooks
Mandatory webhooks are callback methods that Shopify requires for apps listed on the Shopify App Store. Shopify requires privacy webhooks as a way to manage the personal data that an app collects.
Data privacy rules and regulations, such as the General Data Protection Regulation (GDPR) and California Privacy Rights Act (CPRA), set requirements for parties that collect, store, or process personal data of individuals. However, Shopify takes a standardized approach and requires public apps to provide the same privacy rights for all personal data, regardless of where an individual is located.
Any app that you distribute through the Shopify App Store must respond to data subject requests, regardless of whether the app collects personal data. Shopify provides mandatory webhooks to help.
Apps must meet the following webhook requirements:
- The app must implement the mandatory webhooks.
- The app must handle
POST
requests with a JSON body andContent-Type
header set toapplication/json
sent to mandatory webhooks. - If a mandatory webhook sends a request with an invalid Shopify
HMAC
header, then the app must return a401 Unauthorized
HTTP status.