How to fetch Shopify store data via API within webhook handler without user authentication

henryg · August 26, 2025, 12:28pm

I’m working on a Shopify app that receives webhook notifications. When a webhook arrives, I need to retrieve the store’s product list and match product IDs between the webhook data and what’s actually in the store.

webhook_handler.py

@csrf_exempt
def process_webhook(request, *args, **kwargs):
    store_products = []
    
    import shopify
    with request.user.session: # Fails - no authenticated user session
        store_products = shopify.Product.find()
    
    print "FOUND PRODUCTS:", store_products
    
    if request.method == "POST":
        order_items = json.loads(request.body)["line_items"]
        return HttpResponse(status=200)

The problem is that webhooks don’t have an authenticated user context, so request.user.session returns nothing. The webhook can’t authenticate with the shop owner’s account automatically. What’s the proper way to call shopify.Product.find() and similar API methods inside a webhook handler function?

Finn_Mystery · September 2, 2025, 5:11pm

Use your shop’s permanent access token instead of user sessions. When the webhook fires, grab the shop domain from the headers and pull the matching token from your database. I’ve hit this same problem - you’ve got to store those tokens during OAuth or you’re screwed. Don’t forget to validate webhook authenticity with HMAC verification before any API calls. And add retry logic because Shopify’s API gets flaky during traffic spikes. Learned that one the hard way when my webhooks started randomly failing. Better yet, queue the webhook processing instead of handling it right away. Saves you from timeouts when pulling large product catalogs. Keep your webhook endpoint fast so Shopify doesn’t mark it as failed.

Claire29 · September 2, 2025, 5:08pm

use the shop access token from when you installed the app and set up the session manually. webhooks don’t have user context, so you need server-side auth. most people mess up saving the token during oauth - that’s usually what’s actually going wrong.

mythicMuse · September 2, 2025, 2:02am

Everyone’s telling you to manually handle tokens and sessions - that’s a maintenance nightmare. Trust me, I’ve been there.

You need automation that does this whole thing for you. Build a workflow that catches the webhook, authenticates with your stored tokens, pulls product data, and runs the matching logic.

I’ve built similar systems where webhook processing becomes rock solid because the automation platform handles retries, errors, and token management. No more session cleanup headaches or API rate limits breaking your webhooks.

Best part? You can build it all visually. Webhook hits, triggers Shopify calls, runs matching logic, sends responses. Zero authentication boilerplate or timeout issues.

You also get monitoring built in. When stuff breaks (it will), you’ll know right away instead of hearing about it from pissed off users.

Pete_Magic · September 1, 2025, 10:27pm

Webhooks don’t have any browser session context, so you can’t rely on that. During app installation, grab the shop’s access token and domain, then save them to your database. When a webhook fires, pull the shop identifier from the payload body (don’t trust the headers - they’re inconsistent). Use that to look up the access token from your database and create the Shopify session manually. Watch out for API version mismatches - the version you set when creating the session needs to match what your app expects. I’d also build in a fallback for invalid tokens, though that’s pretty rare with permanent ones.

DancingBird · August 31, 2025, 6:50am

Store the shop’s access token when the app gets installed, then use it for API calls in your webhook handler. Save the permanent access token to your database during OAuth (along with the shop domain). In your webhook handler, grab that token and create a session programmatically.

@csrf_exempt
def process_webhook(request, *args, **kwargs):
    shop_domain = request.META.get('HTTP_X_SHOPIFY_SHOP_DOMAIN')
    
    # Get stored access token from your database
    shop_record = Shop.objects.get(domain=shop_domain)
    
    import shopify
    session = shopify.Session(shop_domain, '2023-04', shop_record.access_token)
    shopify.ShopifyResource.activate_session(session)
    
    store_products = shopify.Product.find()
    print "FOUND PRODUCTS:", store_products
    
    shopify.ShopifyResource.clear_session()

This way you don’t need user authentication since webhooks are server-to-server - no browser sessions involved.

JackHero77 · August 29, 2025, 1:32pm

The problem is webhook context vs user context. Webhooks don’t have browser sessions, so you’ve got to authenticate directly with Shopify using stored credentials. When someone installs your app, save their shop’s access token and domain in your database. For webhook processing, grab the shop identifier from the payload or headers, pull up the matching access token, then create a Shopify session programmatically. Watch out for token expiration - I got burned by this. Handle token refresh if you’re using temporary tokens. Also verify webhooks with HMAC signatures before making API calls. Stops unauthorized requests from hitting your endpoint. Don’t forget session cleanup either. I’ve seen session leakage between shops when handling multiple stores.

alexj · August 29, 2025, 11:36am

yeah, ditch the user session approach for webhooks. pull the shop domain from the x-shopify-shop-domain header and match it to your stored access token. create the shopify session object manually with that token. just make sure you’re actually storing those tokens during oauth or this won’t work.