X-Shopify-Hmac-Sha256 header. Register the secret on your endpoint and webhook.co verifies every delivery byte-for-byte.
Get the signing secret
For app webhooks, the secret is your app’s API secret key (Partner Dashboard → your app → API credentials). For webhooks created in the Shopify admin under Settings → Notifications, use the signing secret shown there. Shopify identifies the store inX-Shopify-Shop-Domain, but the signature is what proves authenticity.
Register it on your endpoint
The signature is base64, not hex. Register the raw secret exactly as Shopify shows it — webhook.co
handles the encoding.