# Subscribing to webhooks Your app must respond to [mandatory webhook topics](/docs/apps/webhooks/configuration/mandatory-webhooks). In addition, your app can register [optional webhook topics](/docs/api/admin-rest/current/resources/webhook#event-topics). ## Configuring webhooks subscriptions Configure `shopifyApp` and setup webhook subscription with the following steps: 1. The webhooks you want to subscribe to. In this example we subscribe to the `APP_UNINSTALLED` topic. 1. The code to register the `APP_UNINSTALLED` topic after a merchant installs you app. Here `shopifyApp` provides an `afterAuth` hook. 1. Review the required scopes for the webhook topics, and update your [app scopes](/docs/apps/tools/cli/configuration#access_scopes) as necessary. > Note: You can't register mandatory topics using this package, you must [configure those in the Partner Dashboard](/docs/apps/webhooks/configuration/mandatory-webhooks) instead. ### Configure webhooks subscriptions ```tsx import {shopifyApp, DeliveryMethod} from '@shopify/shopify-app-remix/server'; const shopify = shopifyApp({ apiKey: 'abcde1234567890', // ...etc webhooks: { APP_UNINSTALLED: { deliveryMethod: DeliveryMethod.Http, callbackUrl: '/webhooks', }, }, hooks: { afterAuth: async ({session}) => { shopify.registerWebhooks({session}); }, }, }); export const authenticate = shopify.authenticate; ``` ## Set up your endpoints Create a route in your app to handle incoming webhook requests for each `callbackUrl` you set in your configuration.Legitimate webhook requests are always `POST` requests signed by Shopify, so you must authenticate them before taking any action. To do this you must set up an `action` that uses the `authenticate.webhook` function to authenticate the request. Please keep in mind that webhook endpoints should respond as quickly as possible. If you need to run a long-running job, then consider using background tasks. > Caution: Webhook endpoints **must** respond with an `HTTP 200` code, or Shopify will retry. ### Receive webhook requests ```tsx import {ActionFunctionArgs} from '@remix-run/node'; import db from '../db.server'; import {authenticate} from '~/shopify.server'; export const action = async ({request}: ActionFunctionArgs) => { const {topic, shop, session} = await authenticate.webhook(request); switch (topic) { case 'APP_UNINSTALLED': if (session) { await db.session.deleteMany({where: {shop}}); } break; case 'CUSTOMERS_DATA_REQUEST': case 'CUSTOMERS_REDACT': case 'SHOP_REDACT': default: throw new Response('Unhandled webhook topic', {status: 404}); } throw new Response(); }; ``` ## Resources ## References - [AppProvider](https://shopify.dev/docs/api/shopify-app-remix/v1/entrypoints/appprovider.txt): Sets up the Polaris `AppProvider` and injects the App Bridge script. This component extends the [`AppProvider`](https://polaris.shopify.com/components/utilities/app-provider) component from Polaris, and accepts all of its props except for `linkComponent`, which is overridden to use the Remix `Link` component. - [Admin](https://shopify.dev/docs/api/shopify-app-remix/v1/authenticate/admin.txt): Contains functions for authenticating and interacting with the Admin API. This function can handle requests for apps embedded in the Admin, Admin extensions, or non-embedded apps. - [Billing](https://shopify.dev/docs/api/shopify-app-remix/v1/apis/billing.txt): Contains function used to bill merchants for your app. This object is returned on authenticated Admin requests. - [App proxy](https://shopify.dev/docs/api/shopify-app-remix/v1/authenticate/public/app-proxy.txt): The `authenticate.public.appProxy` function validates app proxy requests made by Shopify, and returns a context to enable querying Shopify APIs. - [Checkout](https://shopify.dev/docs/api/shopify-app-remix/v1/authenticate/public/checkout.txt): The `authenticate.public.checkout` function ensures that checkout extension requests are coming from Shopify, and returns helpers to respond with the correct headers. - [Webhook](https://shopify.dev/docs/api/shopify-app-remix/v1/authenticate/webhook.txt): Contains functions for verifying Shopify webhooks. - [Admin API](https://shopify.dev/docs/api/shopify-app-remix/v1/apis/admin-api.txt): Contains objects used to interact with the Admin API. This object is returned as part of different contexts, such as [`admin`](/docs/api/shopify-app-remix/authenticate/admin), [`unauthenticated.admin`](/docs/api/shopify-app-remix/unauthenticated/unauthenticated-admin), and [`webhook`](/docs/api/shopify-app-remix/authenticate/webhook). - [Storefront API](https://shopify.dev/docs/api/shopify-app-remix/v1/apis/storefront-api.txt): Contains objects used to interact with the Storefront API. This object is returned as part of different contexts, such as [`appProxy`](/docs/api/shopify-app-remix/authenticate/public/app-proxy), and [`unauthenticated.storefront`](/docs/api/shopify-app-remix/unauthenticated/unauthenticated-storefront). - [shopifyApp](https://shopify.dev/docs/api/shopify-app-remix/v1/entrypoints/shopifyapp.txt): Returns a set of functions that can be used by the app's backend to be able to respond to all Shopify requests. The shape of the returned object changes depending on the value of `distribution`. If it is `AppDistribution.ShopifyAdmin`, then only `ShopifyAppBase` objects are returned, otherwise `ShopifyAppLogin` objects are included. - [Unauthenticated admin](https://shopify.dev/docs/api/shopify-app-remix/v1/unauthenticated/unauthenticated-admin.txt): Allows interacting with the Admin API on requests that didn't come from Shopify. > Caution: This should only be used for Requests that do not originate from Shopify. > You must do your own authentication before using this method. >This function doesn't perform **any** validation and shouldn't rely on unvalidated user input. - [Unauthenticated storefront](https://shopify.dev/docs/api/shopify-app-remix/v1/unauthenticated/unauthenticated-storefront.txt): Allows interacting with the Storefront API on requests that didn't come from Shopify. > Caution: This should only be used for Requests that do not originate from Shopify. > You must do your own authentication before using this method. >This function doesn't perform **any** validation and shouldn't rely on unvalidated user input. - [AppProvider](https://shopify.dev/docs/api/shopify-app-remix/v2/entrypoints/appprovider.txt): Sets up the Polaris `AppProvider` and injects the App Bridge script. This component extends the [`AppProvider`](https://polaris.shopify.com/components/utilities/app-provider) component from Polaris, and accepts all of its props except for `linkComponent`, which is overridden to use the Remix `Link` component. - [AppProxyForm](https://shopify.dev/docs/api/shopify-app-remix/v2/app-proxy-components/appproxyform.txt): Sets up a Remix `
` component that works when rendered behind an app proxy. Supports any properties accepted by the `` component. - [AppProxyLink](https://shopify.dev/docs/api/shopify-app-remix/v2/app-proxy-components/appproxylink.txt): Sets up an `` HTML element that works when rendered behind an app proxy. Supports any properties accepted by the `` HTML element. - [AppProxyProvider](https://shopify.dev/docs/api/shopify-app-remix/v2/entrypoints/appproxyprovider.txt): Sets up a page to render behind a Shopify app proxy, enabling JavaScript and CSS to be loaded from the app. Also provides components that enable using other components such as links and forms within proxies. > Caution: Because Remix doesn't support URL rewriting, any route using this component should match the pathname of the proxy URL exactly, and end in a trailing slash (e.g., `https:///apps/proxy/`). - [Admin](https://shopify.dev/docs/api/shopify-app-remix/v2/authenticate/admin.txt): Contains functions for authenticating and interacting with the Admin API. This function can handle requests for apps embedded in the Admin, Admin extensions, or non-embedded apps. - [Billing](https://shopify.dev/docs/api/shopify-app-remix/v2/apis/billing.txt): Contains function used to bill merchants for your app. This object is returned on authenticated Admin requests. - [Flow](https://shopify.dev/docs/api/shopify-app-remix/v2/authenticate/flow.txt): Contains functions for verifying Shopify Flow extensions. See the [Flow documentation](https://shopify.dev/docs/apps/flow/actions/endpoints) for more information. - [Fulfillment Service](https://shopify.dev/docs/api/shopify-app-remix/v2/authenticate/fulfillment-service.txt): Contains functions for verifying fulfillment service requests. See the [fulfillment service documentation](https://shopify.dev/docs/apps/fulfillment/fulfillment-service-apps) for more information. - [App proxy](https://shopify.dev/docs/api/shopify-app-remix/v2/authenticate/public/app-proxy.txt): [App proxies](/docs/apps/online-store/app-proxies) take requests to Shopify links, and redirect them to external links. The `authenticate.public.appProxy` function validates requests made to app proxies, and returns a context to enable querying Shopify APIs. > Note: If the store has not installed the app, store-related properties such as `admin` or `storefront` will be `undefined` - [Checkout](https://shopify.dev/docs/api/shopify-app-remix/v2/authenticate/public/checkout.txt): The `authenticate.public.checkout` function ensures that checkout extension requests are coming from Shopify, and returns helpers to respond with the correct headers. - [Webhook](https://shopify.dev/docs/api/shopify-app-remix/v2/authenticate/webhook.txt): Contains functions for verifying Shopify webhooks. > Note: The format of the `admin` object returned by this function changes with the `v3_webhookAdminContext` future flag. Learn more about [gradual feature adoption](/docs/api/shopify-app-remix/guide-future-flags). - [Admin API](https://shopify.dev/docs/api/shopify-app-remix/v2/apis/admin-api.txt): Contains objects used to interact with the Admin API. This object is returned as part of different contexts, such as [`admin`](/docs/api/shopify-app-remix/authenticate/admin), [`unauthenticated.admin`](/docs/api/shopify-app-remix/unauthenticated/unauthenticated-admin), and [`webhook`](/docs/api/shopify-app-remix/authenticate/webhook). - [Storefront API](https://shopify.dev/docs/api/shopify-app-remix/v2/apis/storefront-api.txt): Contains objects used to interact with the Storefront API. This object is returned as part of different contexts, such as [`appProxy`](/docs/api/shopify-app-remix/authenticate/public/app-proxy), and [`unauthenticated.storefront`](/docs/api/shopify-app-remix/unauthenticated/unauthenticated-storefront). - [shopifyApp](https://shopify.dev/docs/api/shopify-app-remix/v2/entrypoints/shopifyapp.txt): Returns a set of functions that can be used by the app's backend to be able to respond to all Shopify requests. The shape of the returned object changes depending on the value of `distribution`. If it is `AppDistribution.ShopifyAdmin`, then only `ShopifyAppBase` objects are returned, otherwise `ShopifyAppLogin` objects are included. - [Unauthenticated admin](https://shopify.dev/docs/api/shopify-app-remix/v2/unauthenticated/unauthenticated-admin.txt): Allows interacting with the Admin API when working outside of Shopify requests. This enables apps to integrate with 3rd party services and perform background tasks. > Caution: > This function doesn't perform **any** validation and shouldn't rely on raw user input. When using this function, consider the following: #### Background tasks Apps should ensure that the shop domain is authenticated when enqueueing jobs. #### 3rd party service requests Apps must obtain the shop domain from the 3rd party service in a secure way. - [Unauthenticated storefront](https://shopify.dev/docs/api/shopify-app-remix/v2/unauthenticated/unauthenticated-storefront.txt): Allows interacting with the Storefront API when working outside of Shopify requests. This enables apps to integrate with 3rd party services and perform background tasks. > Caution: > This function doesn't perform **any** validation and shouldn't rely on raw user input. When using this function, consider the following: #### Background tasks Apps should ensure that the shop domain is authenticated when enqueueing jobs. #### 3rd party service requests Apps must obtain the shop domain from the 3rd party service in a secure way. - [AppProvider](https://shopify.dev/docs/api/shopify-app-remix/v3/entrypoints/appprovider.txt): Sets up the Polaris `AppProvider` and injects the App Bridge script. This component extends the [`AppProvider`](https://polaris.shopify.com/components/utilities/app-provider) component from Polaris, and accepts all of its props except for `linkComponent`, which is overridden to use the Remix `Link` component. - [AppProxyForm](https://shopify.dev/docs/api/shopify-app-remix/v3/app-proxy-components/appproxyform.txt): Sets up a Remix `` component that works when rendered behind an app proxy. Supports any properties accepted by the `` component. - [AppProxyLink](https://shopify.dev/docs/api/shopify-app-remix/v3/app-proxy-components/appproxylink.txt): Sets up an `` HTML element that works when rendered behind an app proxy. Supports any properties accepted by the `` HTML element. - [AppProxyProvider](https://shopify.dev/docs/api/shopify-app-remix/v3/entrypoints/appproxyprovider.txt): Sets up a page to render behind a Shopify app proxy, enabling JavaScript and CSS to be loaded from the app. Also provides components that enable using other components such as links and forms within proxies. > Caution: Because Remix doesn't support URL rewriting, any route using this component should match the pathname of the proxy URL exactly, and end in a trailing slash (e.g., `https:///apps/proxy/`). - [Admin](https://shopify.dev/docs/api/shopify-app-remix/v3/authenticate/admin.txt): Contains methods for authenticating and interacting with the Admin API. This function can handle requests for apps embedded in the Admin, Admin extensions, or non-embedded apps. - [Billing](https://shopify.dev/docs/api/shopify-app-remix/v3/apis/billing.txt): Contains function used to bill merchants for your app. This object is returned on authenticated Admin requests. - [Scopes](https://shopify.dev/docs/api/shopify-app-remix/v3/apis/scopes.txt): Contains functions used to manage scopes for your app. This object is returned on authenticated Admin requests. - [Flow](https://shopify.dev/docs/api/shopify-app-remix/v3/authenticate/flow.txt): Contains functions for verifying Shopify Flow extensions. See the [Flow documentation](https://shopify.dev/docs/apps/flow/actions/endpoints) for more information. - [Fulfillment Service](https://shopify.dev/docs/api/shopify-app-remix/v3/authenticate/fulfillment-service.txt): Contains functions for verifying fulfillment service requests. See the [fulfillment service documentation](https://shopify.dev/docs/apps/fulfillment/fulfillment-service-apps) for more information. - [App proxy](https://shopify.dev/docs/api/shopify-app-remix/v3/authenticate/public/app-proxy.txt): [App proxies](/docs/apps/online-store/app-proxies) take requests to Shopify links, and redirect them to external links. The `authenticate.public.appProxy` function validates requests made to app proxies, and returns a context to enable querying Shopify APIs. > Note: If the store has not installed the app, store-related properties such as `admin` or `storefront` will be `undefined` - [Checkout](https://shopify.dev/docs/api/shopify-app-remix/v3/authenticate/public/checkout.txt): The `authenticate.public.checkout` function ensures that checkout extension requests are coming from Shopify, and returns helpers to respond with the correct headers. - [Customer account](https://shopify.dev/docs/api/shopify-app-remix/v3/authenticate/public/customer-account.txt): The `authenticate.public.customerAccount` function ensures that customer account extension requests are coming from Shopify, and returns helpers to respond with the correct headers. - [Webhook](https://shopify.dev/docs/api/shopify-app-remix/v3/authenticate/webhook.txt): Contains functions for verifying Shopify webhooks. - [Admin API](https://shopify.dev/docs/api/shopify-app-remix/v3/apis/admin-api.txt): Contains objects used to interact with the Admin API. This object is returned as part of different contexts, such as [`admin`](/docs/api/shopify-app-remix/authenticate/admin), [`unauthenticated.admin`](/docs/api/shopify-app-remix/unauthenticated/unauthenticated-admin), and [`webhook`](/docs/api/shopify-app-remix/authenticate/webhook). - [Storefront API](https://shopify.dev/docs/api/shopify-app-remix/v3/apis/storefront-api.txt): Contains objects used to interact with the Storefront API. This object is returned as part of different contexts, such as [`appProxy`](/docs/api/shopify-app-remix/authenticate/public/app-proxy), and [`unauthenticated.storefront`](/docs/api/shopify-app-remix/unauthenticated/unauthenticated-storefront). - [shopifyApp](https://shopify.dev/docs/api/shopify-app-remix/v3/entrypoints/shopifyapp.txt): Returns a set of functions that can be used by the app's backend to be able to respond to all Shopify requests. The shape of the returned object changes depending on the value of `distribution`. If it is `AppDistribution.ShopifyAdmin`, then only `ShopifyAppBase` objects are returned, otherwise `ShopifyAppLogin` objects are included. - [Unauthenticated admin](https://shopify.dev/docs/api/shopify-app-remix/v3/unauthenticated/unauthenticated-admin.txt): Allows interacting with the Admin API when working outside of Shopify requests. This enables apps to integrate with 3rd party services and perform background tasks. > Caution: > This function doesn't perform **any** validation and shouldn't rely on raw user input. When using this function, consider the following: #### Background tasks Apps should ensure that the shop domain is authenticated when enqueueing jobs. #### 3rd party service requests Apps must obtain the shop domain from the 3rd party service in a secure way. - [Unauthenticated storefront](https://shopify.dev/docs/api/shopify-app-remix/v3/unauthenticated/unauthenticated-storefront.txt): Allows interacting with the Storefront API when working outside of Shopify requests. This enables apps to integrate with 3rd party services and perform background tasks. > Caution: > This function doesn't perform **any** validation and shouldn't rely on raw user input. When using this function, consider the following: #### Background tasks Apps should ensure that the shop domain is authenticated when enqueueing jobs. #### 3rd party service requests Apps must obtain the shop domain from the 3rd party service in a secure way.