Register three webhook endpoints in your app's Partner Dashboard (or via API): `customers/data_request`, `customers/redact`, and `shop/redact`, each pointing to your HTTPS handler URL.
In each webhook handler, verify the request authenticity by computing an HMAC-SHA256 of the raw request body using your app's client secret and comparing it to the `X-Shopify-Hmac-Sha256` header value (use a constant-time comparison).
For `customers/data_request`, collect all stored data for the identified customer and email it to the shop owner within your app's stated privacy policy timeframe.
For `customers/redact`, delete or anonymize all personal data your app stores for the identified customer.
For `shop/redact`, delete all data your app retains for the identified shop, triggered 48 hours after the shop uninstalls your app.
Return HTTP 200 promptly (within a few seconds) to acknowledge receipt; perform heavy processing asynchronously via a background job.
Known gotchas
Failing to register all three mandatory webhooks will cause your app submission or review to be rejected — they are required, not optional.
Shopify does not retry these webhooks with the same urgency as order webhooks; ensure your endpoint is highly available and logs all receipts for audit purposes.
The HMAC verification must use the raw (unparsed) request body — parsing JSON first and re-serializing can change byte ordering and cause verification failures.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp