Shopify Partner Apps & GDPR Webhooks: Unlocking Compliance in the New UI (and Solving HMAC Issues!)

Hey everyone! Your friendly Shopify migration expert here, diving into a really important topic that’s been popping up in the community lately. We recently had a thread titled "Partner account not able to add GDPR webhooks link under partner account" where a developer, Support5, was running into some head-scratching issues with their app's GDPR compliance webhooks. If you're building or managing a Shopify app, especially one that's CLI-managed, this is going to sound familiar.

The core of the problem, as Support5 highlighted, was two-fold: not being able to find the GDPR webhook fields in the new Partner UI, and then failing the automated checks for "Provides mandatory compliance webhooks" and "Verifies webhooks with HMAC signatures." Let's break down what's happening and how to fix it, drawing from the excellent insights shared in the discussion.

The Case of the Missing GDPR Webhook Fields

If you've been poking around the new Shopify Partner UI looking for those familiar GDPR webhook input fields, and they're just... gone, you're not alone. This is a common point of confusion, and our community expert, ShopIntegrations, hit the nail on the head with the explanation: "Yeah, the new Partner UI hides those fields if your app is managed via CLI. You have to do it entirely in your shopify.app.toml file now."

This is a crucial shift. For apps that you're developing and managing through the Shopify CLI (Command Line Interface), the dashboard won't be your go-to for these specific settings anymore. Shopify is pushing for a more code-centric approach for CLI-managed apps, centralizing configuration within your app's codebase.

Configuring GDPR Webhooks via shopify.app.toml

So, where do these webhooks go? Directly into your shopify.app.toml file. This file acts as the manifest for your app, defining various configurations, and now that includes your privacy compliance webhooks. Here’s the section you’ll need to add to your shopify.app.toml file:

toml [webhooks.privacy_compliance]
customer_deleti
customer_data_request_url = "https://your-domain.com/api/webhooks/customers/data_request"
shop_deleti

A few important notes here:

• Replace "https://your-domain.com/": Make sure you update these URLs to reflect your actual app's domain and the correct endpoints for your webhook handlers. These are the URLs Shopify will call when a merchant or customer requests data deletion or access.
• Mandatory Compliance: These three webhooks are essential for GDPR (and similar privacy regulations) compliance. They tell Shopify where to send requests for customer data redaction, customer data access, and shop data redaction.

Don't Forget to Push Your Changes!

Just adding this section to your shopify.app.toml locally isn't enough to update Shopify's end. This is where Support5 might have gotten stuck when they mentioned "i created toml file as well but not works for me." ShopIntegrations provided the critical next step:

"Once you save that, you must run shopify app config push in your terminal to actually update it on Shopify’s end. Just saving the file locally won’t update the dashboard."

This command is what synchronizes your local shopify.app.toml configuration with your app's settings on the Shopify Partner dashboard. Think of it as pushing your app's blueprint to Shopify. Without this step, Shopify won't know about the new webhook URLs you've defined, and your app will continue to fail the automated compliance checks.

Solving the HMAC Verification Headache (Especially for Laravel)

Even after correctly setting up the shopify.app.toml and pushing the configuration, Support5 was still seeing "Verifies webhooks with HMAC signatures" fail. This is a classic stumbling block for many developers, and it often comes down to how you're calculating the HMAC signature on your backend. Support5 specifically mentioned their backend is in Laravel, which is a common setup.

The golden nugget of advice from ShopIntegrations for HMAC failures, particularly with Laravel, was:

"For the HMAC failing, double check your Laravel middleware. Make sure you’re using the raw request body to calculate the HMAC with your App Secret, not the parsed JSON. That’s usually what trips up the automated check."

This is super important! When Shopify sends a webhook, it includes an X-Shopify-Hmac-SHA256 header. To verify this, you need to take the raw, unparsed HTTP request body, combine it with your app's shared secret key, and then calculate your own HMAC. If your Laravel middleware (or any backend framework) is automatically parsing the incoming JSON payload before you calculate the HMAC, the body you're using for your calculation will be different from the raw body Shopify used to generate its HMAC. This mismatch causes the verification to fail.

Here’s what to check in your Laravel setup:

1. Accessing the Raw Body: Ensure your webhook handler or middleware is specifically accessing the raw request body. In Laravel, you typically do this using $request->getContent(). Avoid using $request->json() or directly accessing request()->all() for HMAC calculation, as these will give you the parsed content.
2. App Secret: Double-check that you're using the correct App Secret (from your Shopify Partner dashboard) for the HMAC calculation. It's case-sensitive!
3. Encoding: Make sure you're using the correct encoding (UTF-8 is standard) when working with the raw body and the secret.

By implementing these changes, especially ensuring you're using the raw request body for HMAC verification, you should be able to pass Shopify's automated checks for webhook signature verification. It's a subtle but critical detail that trips up a lot of developers.

So, there you have it! If you're building a CLI-managed Shopify app and grappling with GDPR webhooks or HMAC verification, remember these key takeaways: ditch the UI for shopify.app.toml, always shopify app config push your changes, and for HMAC, always, always use the raw request body. These steps should get your app sailing smoothly through Shopify's compliance checks and help you maintain that all-important trust with your merchants.