Photo: free stock photography (Unsplash licence) — see imprint
The registration handshake
When a shop installs your app, Shopware calls your registration URL, you answer with a proof and a shop secret, and Shopware confirms. Get this wrong and the app installs but never receives an event — with no obvious error anywhere. Log both sides of the handshake from day one.
Verify every request, without exception
Every webhook Shopware sends is signed. If you do not verify that signature, your app server is an open endpoint that anyone on the internet can use to move your customers' orders around. This is fifteen lines of HMAC code and it is not optional.
One app, many shops
Your server will hold credentials for every shop that installed it. Store the shop ID, the shop URL and the secret as a proper record, and never let a webhook from shop A touch data from shop B. Multi-tenancy bugs in an app server are the kind that end up in the press.
Answer fast, work later
Shopware expects a quick HTTP response to a webhook. Do not do the ERP sync inside the handler — acknowledge, push a job onto a queue, and let a worker do the real work. Otherwise a slow supplier API becomes a timing-out shop.
- Log both sides of the registration handshake.
- Unverified webhook signatures = open endpoint.
- Acknowledge fast, queue the real work.
We do this for a living — Shopware, Node.js, React, ERP integration and automation for B2B.
Talk to an engineer