Testing Shopify GDPR Hooks

Shopify insists apps provide 3 GDPR hooks

  • customers/redact – Requests deletion of customer data.
  • shop/redact – Requests deletion of shop data
  • customers/data_request – Requests to view stored customer data.

The problem is they can be quite hard to test as even when you trigger them in shopify test stores you still have a waiting period for your hook which can store development

This post shows how you can generate your own triggers to test these endpoints

Creating Test GDPR Messages

The tricky part of creating the messages is creating your x-shopify-hmac-sha256

We can create this using a simple html file, substituting YOURAPPSECRET for your store secret –

In the above examples I am using the message examples in the shopify documentation

You can then call it and get an output like –

shop/redact – sdasdsadasdasdasdasdadasegv4IcOrJ+29eI=
customers/redact – dsadasdasdasdasdasdasfsdfgdfhgfhtdfgrtytnmhgf5jJI=
customers/data_request – dsfdsfdsafdsafdsghfdhjtwry54yhjhmjhgkjywKdmpVTLU=

Testing Your Endpoints

We can then use the hmac to test our end points using a Rest client in your browser (in my case Talend in chrome)

Shopify GDPR Rest Test

Here I am testing the endpoint –


By POST-ing the JSON from the script above –

The key point is that your POST json should match the Json used to calculate the HMAC(minus escapes)

We also have to set the following –

  • Content-Type – application/json
  • x-shopify-topic – shop/redact
  • x-shopify-shop-domain – dimensioncalculator.myshopify.com – or whatever store you are using
  • x-shopify-hmac-sha256 – Hmac calculated from your secret
  • x-shopify-api-version – 2019-10 – Or whatever version you are using

You can then post your message and you should get the expected 200 OK message

In my case I could also check my logs to confirm the message –

2020-02-13T19:53:53.678971+00:00 app[web.1]: received webhook: { topic: ‘SHOP_REDACT’, domain: ‘dimensioncalculator.myshopify.com’ }

Note that the koa library converts “shop/redact” to “SHOP_REDACT”


The above approach shows a quick way to test your shopify endpoints outside of waiting for your test store to send the messages

If you found this post useful and would like more shopify posts then please let me know at martin@glenware.com. I am also available for Shopify consultancy work

Leave a Reply

Your email address will not be published. Required fields are marked *