How to Test Shopify Webhooks

Building a Shopify app or integration requires handling webhooks. Shopify uses webhooks to notify your server about critical store events like new orders, updated products, and customer creations. Missing one of these events means dropping an order or losing sync with the storefront.

Testing these webhooks during development can be frustrating. Shopify payloads are massive nested JSON objects, and getting those payloads to your local machine requires extra infrastructure. Here is a straightforward guide to testing Shopify webhooks reliably.

Understanding Shopify webhook payloads

When an event occurs in a Shopify store, Shopify sends an HTTP POST request to your configured endpoint. The request includes specific headers you need to care about:

• X-Shopify-Topic: Tells you what happened (like orders/create or products/update).
• X-Shopify-Hmac-Sha256: The security signature you use to verify the request is actually from Shopify.
• X-Shopify-Shop-Domain: The store URL that triggered the event.

The body of the request is a JSON object. For an order creation, this object contains dozens of fields including line items, shipping addresses, customer details, and discount codes. Staring at the raw JSON to find the one field you need is a massive time sink.

The local development problem

Shopify cannot send webhooks to "localhost:3000" because your local machine is not accessible from the public internet. To test your webhook handlers locally, you need a way to capture the public payload and route it to your development environment.

Historically, developers used tools like ngrok to create a secure tunnel. While ngrok works, it introduces friction. You have to run a separate terminal process, update your Shopify app settings every time your ngrok URL changes, and manually inspect raw terminal output to see what Shopify sent.

A better way to test Shopify webhooks

Instead of fighting with raw JSON and tunneling configurations, you can use Payloader to streamline the process. Payloader is a webhook inspector built specifically for developers handling complex integrations like Shopify.

1. Capture and inspect

Create a Payloader endpoint and paste that URL into your Shopify webhook configuration. When you trigger a test event in Shopify (like creating a dummy order), Shopify sends the webhook to Payloader.

Instead of showing you a wall of JSON, Payloader automatically recognizes the Shopify payload. It extracts the event type, order number, total price, and customer details, displaying them in a plain English summary. You see exactly what happened instantly.

2. Forward to localhost

Once you understand the payload, you can use Payloader to forward it to your local environment. You configure Payloader to take any incoming Shopify webhook and proxy it directly to your local application. This gives you the routing benefits of ngrok without the URL rotation headaches.

3. Replay failed events

While writing your webhook handler, your code will inevitably crash. Instead of going back into Shopify and creating another dummy order to trigger a new webhook, you can just click "Replay" in Payloader. It will send the exact same payload back to your local server so you can test your fix immediately.

Verifying the HMAC signature

Before moving to production, ensure your code verifies the Shopify HMAC signature. Shopify hashes the raw request body using your app's shared secret. Your application must calculate the hash of the incoming body using the same secret and compare it to the "X-Shopify-Hmac-Sha256" header. If they do not match, reject the request.

Testing webhooks does not have to be a blind guessing game. By using a dedicated inspector and forwarding tool, you can build your Shopify integration faster and with far more confidence.