shopify-security-basics

Featured

Apply Shopify security best practices for API credentials, webhook HMAC validation, and access scope management. Use when securing API keys, validating webhook signatures, or auditing Shopify security configuration. Trigger with phrases like "shopify security", "shopify secrets", "secure shopify", "shopify HMAC", "shopify webhook verify".

AI & Automation 2,266 stars 315 forks Updated today MIT

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Shopify Security Basics ## Overview Security essentials for Shopify apps: credential management, webhook HMAC validation, request verification, and least-privilege access scopes. ## Prerequisites - Shopify Partner account with app credentials - Understanding of HMAC-SHA256 signatures - Access to Shopify app configuration ## Instructions ### Step 1: Secure Credential Storage ```bash # .env — NEVER commit SHOPIFY_API_KEY=your_api_key SHOPIFY_API_SECRET=your_api_secret_key SHOPIFY_ACCESS_TOKEN=shpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # .gitignore — add immediately .env .env.local .env.*.local *.pem ``` **Token format reference:** | Token Type | Prefix | Length | Used For | |-----------|--------|--------|----------| | Admin API access token | `shpat_` | 38 chars | Server-side Admin API | | Storefront API token | varies | varies | Client-safe storefront queries | | API secret key | none | 32+ hex | Webhook HMAC, OAuth | ### Step 2: Webhook HMAC Verification Shopify signs every webhook with your app's API secret using HMAC-SHA256. The signature is in the `X-Shopify-Hmac-Sha256` header. ```typescript import crypto from "crypto"; import express from "express"; function verifyShopifyWebhook( rawBody: Buffer, hmacHeader: string, secret: string ): boolean { const computed = crypto .createHmac("sha256", secret) .update(rawBody) .digest("base64"); // Timing-safe comparison prevents timing attacks return crypto.timingSafeEqual( Buffer.from(computed...

Details

Author
jeremylongshore
Repository
jeremylongshore/claude-code-plugins-plus-skills
Created
7 months ago
Last Updated
today
Language
Python
License
MIT

Integrates with

Anthropic · AI Shopify · Commerce

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

intercom-security-basics

Apply Intercom security best practices for tokens, webhook verification, and scopes. Use when securing access tokens, implementing webhook signature validation, or configuring least-privilege OAuth scopes. Trigger with phrases like "intercom security", "intercom secrets", "secure intercom", "intercom webhook signature", "intercom token rotation".

2,266 Updated today
jeremylongshore
AI & Automation Featured

hubspot-security-basics

Apply HubSpot security best practices for tokens, scopes, and webhook verification. Use when securing private app tokens, implementing least privilege scopes, or validating HubSpot webhook signatures. Trigger with phrases like "hubspot security", "hubspot token rotation", "secure hubspot", "hubspot scopes", "hubspot webhook verify".

2,266 Updated today
jeremylongshore
AI & Automation Featured

shopify-webhooks-events

Register and handle Shopify webhooks including mandatory GDPR compliance topics. Use when setting up webhook subscriptions, handling order/product events, or implementing the required GDPR webhooks for app store submission. Trigger with phrases like "shopify webhook", "shopify events", "shopify GDPR webhook", "handle shopify notifications", "shopify webhook register".

2,266 Updated today
jeremylongshore
AI & Automation Featured

shopify-install-auth

Install and configure Shopify app authentication with OAuth, session tokens, and the @shopify/shopify-api SDK. Use when setting up a new Shopify app, configuring API credentials, or initializing authentication for Admin or Storefront API access. Trigger with phrases like "install shopify", "setup shopify", "shopify auth", "shopify OAuth", "configure shopify API".

2,266 Updated today
jeremylongshore
AI & Automation Featured

klaviyo-security-basics

Apply Klaviyo security best practices for API key management and access control. Use when securing API keys, configuring OAuth scopes, implementing webhook signature verification, or auditing Klaviyo security configuration. Trigger with phrases like "klaviyo security", "klaviyo secrets", "secure klaviyo", "klaviyo API key security", "klaviyo OAuth".

2,266 Updated today
jeremylongshore