Shopify Webhooks Basics: Essential Guide for Developers

Learn Shopify webhooks fundamentals: event topics, delivery mechanisms, verification, and best practices for building reliable ecommerce integrations.

Updated 2026-06-20

If you're building apps or integrations for Shopify stores, webhooks are one of the most powerful—and most misunderstood—tools at your disposal. Instead of constantly polling the Shopify API asking "has anything changed?", webhooks let Shopify notify your application the instant something important happens. In this guide, we'll cover what webhooks are, how they work, and the practical steps to use them reliably.

What Are Shopify Webhooks?

A webhook is a way for Shopify to push real-time notifications to your application when specific events occur in a merchant's store. When you subscribe to a webhook topic—say, orders/create—Shopify sends an HTTP POST request to your endpoint each time a new order is placed. Your application then acts on that notification: syncing the order to your database, triggering a workflow, or notifying staff.

This is fundamentally different from polling, which wastes API calls and often introduces latency. Webhooks are event-driven, which makes them ideal for building responsive, scalable integrations.

Common Webhook Topics

Shopify offers webhooks across the entire store lifecycle. Here are the most frequently used:

Orders & Transactions

• orders/create, orders/update, orders/cancelled, orders/fulfilled – Track order creation, changes, cancellations, and fulfillment status
• order_transactions/create – Triggered when a payment or refund is added to an order

Customers

• customers/create, customers/update, customers/delete – Monitor customer profile changes
• customers/disable, customers/enable – Capture account activation and deactivation
• customers/merge – Fires when two customer records are merged

Products & Collections

• products/create, products/update, products/delete – Track inventory and product metadata changes
• collections/create, collections/update, collections/delete – Monitor collection updates
• product_listings/add, product_listings/update, product_listings/remove – Track multi-channel product publication

Fulfillment

• fulfillments/create, fulfillments/update – Monitor shipment status
• fulfillment_orders/ (multiple topics) – Detailed fulfillment order state transitions

Compliance

• customers/data_request, customers/redact, shop/redact – Mandatory privacy-related webhooks for GDPR and similar regulations

How Webhook Delivery Works

When you register a webhook subscription, you specify:

1. Topic – What event to monitor (e.g., orders/create)
2. Destination – Where Shopify sends the notification (an HTTPS URL, Google Pub/Sub URI, or Amazon EventBridge ARN)
3. Format – JSON or XML (JSON is the default and recommended)
4. Filters (optional) – Narrow which deliveries trigger (e.g., only for a specific product type)

Once configured, here's what happens:

1. An event occurs in the store (e.g., a customer places an order)
2. Shopify generates a JSON payload with event details and sends an HTTP POST to your endpoint
3. Your endpoint receives the request and returns a 2xx HTTP status code within 5 seconds
4. If you return 2xx, the delivery is marked successful
5. If Shopify doesn't receive a response (timeout, 5xx error, network failure), it retries up to 8 times over 4 hours using exponential backoff

This retry mechanism ensures you won't miss events, but it also means your endpoint must be idempotent—it should handle receiving the same event multiple times without creating duplicates.

Verifying Webhook Authenticity

Every webhook delivery includes security headers to prove it came from Shopify:

• X-Shopify-Hmac-SHA256 – An HMAC signature computed using your app's secret key
• X-Shopify-Webhook-Id – A unique identifier for this delivery
• X-Shopify-Topic – The topic that triggered the delivery
• X-Shopify-Triggered-At – The ISO 8601 timestamp when the event occurred

To verify authenticity, decode the X-Shopify-Hmac-SHA256 header and compare it against an HMAC-SHA256 hash of the raw request body using your app's API secret. If they match, the webhook came from Shopify. This prevents spoofed requests from malicious actors.

Additionally, use X-Shopify-Webhook-Id to track which deliveries you've already processed. If you receive the same Webhook-Id twice, ignore the duplicate—this handles the case where Shopify retried but your first response was delayed, not lost.

Best Practices for Reliable Webhooks

1. Don't rely on webhooks alone. Shopify doesn't guarantee delivery of every webhook event. If a merchant's store is heavily throttled or Shopify experiences an outage during a retry window, you could miss an event. Implement a reconciliation job that periodically queries the Shopify API to fetch recent changes (using updated_at filters) and sync anything you missed.

2. Handle event ordering uncertainty. Webhooks for different topics may not arrive in chronological order. If products/update fires before orders/create for the same order, use timestamps (X-Shopify-Triggered-At header or updated_at field in the payload) to reconstruct the correct sequence.

3. Make your endpoint fast and asynchronous. Shopify enforces a 5-second timeout. If your processing is slow, defer heavy work to a background job queue (Redis, RabbitMQ, etc.) and return 2xx immediately.

4. Use delivery filters to reduce noise. If you only care about orders above a certain value or products in a specific collection, use filter parameters when subscribing. This reduces payload size and saves your processing power.

5. Log everything. Store webhook payloads, timestamps, and processing results. When debugging integration issues, these logs are invaluable.

Setting Up a Webhook (Quick Example)

In a typical Node.js or Python app using the Shopify CLI or Admin API:

1. Register your webhook subscription in shopify.app.toml or via the GraphQL Admin API with your topic and HTTPS endpoint
2. Your endpoint receives a POST request with the event payload
3. Verify the HMAC signature
4. Extract the relevant data and process it (sync to your database, trigger a workflow, etc.)
5. Return a 2xx status code to confirm receipt
6. If processing fails, return a non-2xx code so Shopify retries

For merchants operating multiple Shopify stores at once, webhooks become even more critical—you need unified notifications across all stores to act in real time. This is where centralized tools that aggregate webhooks from all stores (with automatic order synchronization and real-time dashboards) simplify operations dramatically.

Why Webhooks Matter for Multi-Store Operations

If you're managing webhooks across multiple stores or building tools for merchants who do, webhooks unlock powerful automations: syncing orders to fulfillment systems, triggering email campaigns, updating inventory, or flagging high-value orders for manual review. Without webhooks, you'd be stuck polling—wasting API quota and introducing lag.

Ready to take control of your Shopify operations? StoreFleet's platform consolidates webhooks and data from all your stores into one unified dashboard, complete with real-time order tracking, bulk shipment updates via 17TRACK, and consolidated financial insights. Whether you're running 5 stores or 50, a single integration replaces dozens of disconnected workflows. Get a free 1-on-1 demo tailored to your store at https://storefleet.io.vn.

Sources

• Shopify Webhooks Documentation
• Shopify Admin REST API – Webhook Resource
• Shopify Webhook Topics Reference
• Troubleshoot webhooks
• Verify webhook deliveries
• Privacy law compliance
• 17TRACK Order Tracking - Shopify App Store