Signing & Verification in the App System
To ensure secure communication between Shopware shops and your app server, Shopware signs all outgoing requests using a cryptographic signature. The signature is generated using HMAC-SHA256, hashing either the query string or the request body, depending on the request method, with your app secret. By verifying this signature on your server, you can confirm that the request originates from Shopware and remains unaltered during transmission. This mechanism safeguards your app against request forgery and unauthorized access.
WARNING
Breaking Change Considerations
Shopware may add parameters used for signature generation without considering it a breaking change. Your app should be flexible enough to handle variations in the signature generation data.
To simplify signature verification and response signing, use our App PHP SDK or the Symfony Bundle.
If you are not using these tools, ensure that you base signature generation on all query parameters or the entire request body, rather than selecting specific parameters.
Prerequisites
You should be familiar with the concept of Apps and their registration flow.
Your app server must be also accessible for the Shopware server. You can use a tunneling service like ngrok for development.
Validating requests
INFO
Query parsing of signature
Avoid re-parsing and re-encoding the query string for HMAC validation, as parameter order and URL encoding may vary depending on the programming language used.
Shopware signs all requests sent to your app server using a cryptographic signature. This signature is generated by hashing the request's query string with your app secret.
To ensure the request originates from Shopware, you should verify this signature before processing it.
Signing responses
Shopware expects a signature in the response to verify that the response is coming from your app server.
