shopify-webhooks
Implement Shopify webhooks — subscription methods (HTTP, EventBridge, Pub/Sub, SQS), HMAC verification, mandatory GDPR webhooks, delivery methods, retry policy, and idempotency. Use when building event-driven Shopify integrations.
Best use case
shopify-webhooks is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement Shopify webhooks — subscription methods (HTTP, EventBridge, Pub/Sub, SQS), HMAC verification, mandatory GDPR webhooks, delivery methods, retry policy, and idempotency. Use when building event-driven Shopify integrations.
Teams using shopify-webhooks should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/shopify-webhooks/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How shopify-webhooks Compares
| Feature / Agent | shopify-webhooks | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement Shopify webhooks — subscription methods (HTTP, EventBridge, Pub/Sub, SQS), HMAC verification, mandatory GDPR webhooks, delivery methods, retry policy, and idempotency. Use when building event-driven Shopify integrations.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Shopify Webhooks
## Before writing code
**Fetch live docs**:
1. Web-search `site:shopify.dev webhooks` for webhook overview
2. Web-search `site:shopify.dev webhook topics` for available event topics
3. Web-search `site:shopify.dev gdpr mandatory webhooks` for GDPR requirements
## Subscription Methods
### HTTP (Default)
Shopify POSTs JSON to your endpoint:
- Set up via GraphQL: `webhookSubscriptionCreate`
- Verify with HMAC-SHA256
### Amazon EventBridge
For AWS-based architectures:
- Events delivered to EventBridge partner event source
- Automatic retries and dead-letter queues
- Set up via Partner event source ARN
### Google Cloud Pub/Sub
For GCP-based architectures:
- Events published to Pub/Sub topic
- Topic must grant Shopify publish access
### Amazon SQS
For queue-based processing:
- Events delivered directly to SQS queue
## HMAC Verification
Every HTTP webhook includes `X-Shopify-Hmac-SHA256` header:
```typescript
import crypto from 'crypto';
function verifyWebhook(body: string, hmacHeader: string, secret: string): boolean {
const hash = crypto
.createHmac('sha256', secret)
.update(body, 'utf8')
.digest('base64');
return crypto.timingSafeEqual(
Buffer.from(hash),
Buffer.from(hmacHeader),
);
}
```
**Always verify HMAC before processing** — reject unverified webhooks with 401.
## Webhook Topics
### Orders
`orders/create`, `orders/updated`, `orders/paid`, `orders/fulfilled`, `orders/cancelled`, `orders/delete`
### Products
`products/create`, `products/update`, `products/delete`
### Customers
`customers/create`, `customers/update`, `customers/delete`
### Cart
`carts/create`, `carts/update`
### Checkout
`checkouts/create`, `checkouts/update`
### Inventory
`inventory_levels/update`, `inventory_items/update`
### Fulfillments
`fulfillments/create`, `fulfillments/update`
### Refunds
`refunds/create`
## Mandatory GDPR Webhooks
**Every Shopify app MUST implement these three webhooks:**
1. **`customers/data_request`** — customer requests their data (data portability)
2. **`customers/redact`** — customer requests data deletion
3. **`shop/redact`** — store uninstalls your app, delete all store data within 48 hours
Failure to implement these can result in app rejection or removal from the App Store.
## Retry Policy
- Shopify retries failed deliveries (non-2xx responses)
- Up to 8 retries over 4 hours with exponential backoff
- Retried webhooks maintain the original payload from when triggered
- Use `X-Shopify-Triggered-At` header to detect stale payloads
- After all retries fail, the webhook subscription may be removed
- Check webhook delivery status via `webhookSubscriptions` query
## Subscribing via GraphQL
```graphql
mutation WebhookSubscriptionCreate {
webhookSubscriptionCreate(
topic: ORDERS_CREATE
webhookSubscription: {
callbackUrl: "https://your-app.com/webhooks/orders"
format: JSON
}
) {
webhookSubscription {
id
topic
endpoint {
... on WebhookHttpEndpoint {
callbackUrl
}
}
}
userErrors { field message }
}
}
```
## Best Practices
- Always verify HMAC before processing
- Respond with 200 immediately, then process asynchronously
- Implement idempotency — webhooks may be delivered more than once
- Use the webhook ID (`X-Shopify-Webhook-Id` header) for deduplication
- Implement all three mandatory GDPR webhooks
- Handle webhook subscription failures — re-subscribe if delivery fails repeatedly
- Use EventBridge/Pub/Sub/SQS for high-volume scenarios
- Log webhook deliveries for debugging (but never log sensitive customer data)
- Version your webhook handler to handle schema changes across API versions
Fetch the Shopify webhook documentation for exact topic names, payload schemas, and subscription patterns before implementing.Related Skills
ucp-orders-webhooks
Implement UCP Order capability and webhook delivery — post-purchase order management with fulfillment tracking, adjustments (refunds/returns), and cryptographically signed webhook notifications. Use when building order management or webhook infrastructure.
spree-events-webhooks
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
shopify-themes
Develop Shopify themes — file structure, Online Store 2.0, sections and blocks, settings schema, Dawn reference theme, Theme Check linting, asset pipeline, and theme deployment. Use when building or customizing Shopify themes.
shopify-testing
Test Shopify applications — app testing with Vitest and Playwright, theme testing with Theme Check, Function testing, webhook testing, extension testing, and CI/CD pipelines. Use when writing tests for Shopify projects.
shopify-setup
Set up a Shopify development environment — Shopify CLI installation, Partner account, development stores, environment variables, project structures for themes, apps, and Hydrogen. Use when starting a new Shopify project.
shopify-security
Secure Shopify applications — HMAC webhook verification, session token validation, OAuth scope management, Content Security Policy, GDPR mandatory webhooks, input validation, and secure coding practices. Use when implementing Shopify security features.
shopify-polaris
Build Shopify app UIs with Polaris — component categories, Web Components transition, React legacy components, App Design Guidelines, accessibility, @shopify/draggable, and design tokens. Use when building Shopify admin app interfaces.
shopify-performance
Optimize Shopify performance — Liquid rendering, asset optimization, CDN strategies, Core Web Vitals, Hydrogen caching, image optimization, preloading, and lazy loading. Use when improving Shopify store speed.
shopify-liquid
Write Shopify Liquid templates — objects, tags, filters, global objects, section schema, Online Store 2.0 JSON templates, and Liquid best practices. Use when customizing Shopify theme templates.
shopify-hydrogen
Build headless Shopify storefronts with Hydrogen — Remix-based framework, Oxygen deployment, storefront.query(), caching strategies, cart, customer accounts, SEO, and analytics. Use when building custom Shopify storefronts.
shopify-functions
Build Shopify Functions — serverless WebAssembly extensions for discounts, delivery customization, payment customization, cart validation, cart transforms, and order routing. Use when extending Shopify's backend logic.
shopify-customers
Manage Shopify customers — Customer Account API, new vs classic accounts, Multipass SSO, customer segmentation, B2B company accounts, metafields, and marketing consent. Use when working with Shopify customer data.