Hmac validation in shopify app

Shopify uses OAuth 2.0 for authorisation.

Every request from app is validated at shopify end. Similary every request or redirect from shopify must be validated by app server for proper verification.

for this shopify provides a hmac parameter along with other parameters.

How hmac validation can be done

hmac can be calculated in any programming language using sha256 cryptographic algorithm.

However the doc for hmac verification is provided by shopify but still there is confusion among app developers how to implement it correctly.


First we need to get the parameters except hmac parameter.

Note: we need all the parameters sent by shopify server.


keys and values must be checked for & an % characters if found then it should be replaced by %25 and %26 respectively .

if key contains = character then it should be replaced by %3d which is nothing but utf-8 value of the character.


Then build a string in which key and value are joined together using = character and such key and value pair joined by & sign .


Finally we need to calculate hmac-sha256 hash using ‘app-secret-key’ as the key .

the calculated hash digest can be checked with hmac value as provided by the shopify.

Here is the code in php for hmac verification.


function verifyHmac()
  $ar= [];
  $hmac = $_GET['hmac'];

  foreach($_GET as $key=>$value){


    $ar[] = $key."=".$value;

  $str = join('&',$ar);
  $ver_hmac =  hash_hmac('sha256',$str,"YOUR-APP-SECRET-KEY",false);

    echo 'hmac verified';



Developer, Technology aficionado, Beer Lover and founder of Network. Who shares a keen interest about website development, health issues, cancer awareness and other fun stuff.

Add comment

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular

Most discussed