Hey there, let's break down why your app/uninstalled webhook isn't triggering when merchants remove your app, and walk through actionable fixes to get it working:

Common Causes & Step-by-Step Fixes #

1. Your Webhook URL Isn't Publicly Accessible #

Shopify's servers need unobstructed access to your uninstall.php endpoint. Here's what to check:

• Ensure your URL uses valid HTTPS (Shopify rejects HTTP or self-signed SSL certificates).
• Confirm there's no firewall, Basic Auth, or IP whitelisting blocking incoming requests from Shopify's servers.
• Test accessibility with Postman: send a mock POST request to your URL and verify it returns a 200 OK response.
• For quick debugging, temporarily swap your address with a service like Webhook.site—if you receive the test uninstall event there, your original URL is the bottleneck.

2. You Didn't Handle the Webhook Registration Verification #

When you register a webhook, Shopify sends a GET verification request to your endpoint first. If your code only handles POST requests, the registration fails silently. Add this logic to uninstall.php (replace YOUR_SHOPIFY_APP_SECRET with your app's secret from the Partner Dashboard):

<?php
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $hmac = $_GET['hmac'];
    $shop = $_GET['shop'];
    $timestamp = $_GET['timestamp'];
    $topic = $_GET['topic'];
    
    // Sort parameters and generate expected HMAC signature
    $params = ['shop' => $shop, 'timestamp' => $timestamp, 'topic' => $topic];
    ksort($params);
    $queryString = http_build_query($params);
    $expectedHmac = hash_hmac('sha256', $queryString, YOUR_SHOPIFY_APP_SECRET);
    
    if (hash_equals($expectedHmac, $hmac)) {
        header('HTTP/1.1 200 OK');
        echo $topic;
        exit;
    } else {
        header('HTTP/1.1 403 Forbidden');
        exit;
    }
}
?>

3. Your POST Handling Has Signature or Response Time Issues #

When Shopify sends the actual app/uninstalled event (POST), two critical requirements must be met:

• Valid HMAC signature verification: Shopify sends the X-Shopify-Hmac-SHA256 header—if validation fails, Shopify will stop retrying after several attempts.
• Fast response: Shopify expects a 200 OK within 5 seconds. If your database deletion logic is slow, return the response first, then process the deletion asynchronously.

Update your POST handling logic:

<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $rawData = file_get_contents('php://input');
    $hmacHeader = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
    
    // Verify the HMAC signature
    $calculatedHmac = base64_encode(hash_hmac('sha256', $rawData, YOUR_SHOPIFY_APP_SECRET, true));
    if (!hash_equals($calculatedHmac, $hmacHeader)) {
        header('HTTP/1.1 403 Forbidden');
        exit;
    }
    
    // Extract the shop domain from the webhook data
    $webhookData = json_decode($rawData, true);
    $shopDomain = $webhookData['domain'];
    
    // Return 200 immediately to avoid Shopify timeouts
    header('HTTP/1.1 200 OK');
    exit;
    
    // (Optional) Process database deletion asynchronously (e.g., via a queue)
    // deleteShopDataFromDatabase($shopDomain);
}
?>

Note: Always use prepared statements for database operations to avoid SQL injection.

4. Your Webhook Registration Wasn't Successful #

Double-check the webhook status in your Shopify Partner Dashboard:

1. Navigate to your app's page → Webhooks tab.
2. Look for the app/uninstalled webhook:
   • If marked "Unverified": Your validation logic is incorrect.
   • If marked "Failed": Your endpoint returned non-200 responses to Shopify's test requests.
3. Re-register the webhook using Shopify's official PHP API client to avoid manual curl formatting errors:

   <?php
   use Shopify\Auth\Session;
   use Shopify\Clients\Rest;
   
   $session = new Session($shopDomain, $accessToken);
   $client = new Rest($session);
   
   $response = $client->post('/admin/webhooks.json', [
       'webhook' => [
           'topic' => 'app/uninstalled',
           'address' => 'https://my-domain/apps/app-name/uninstall.php',
           'format' => 'json'
       ]
   ]);
   
   if ($response->getStatusCode() === 201) {
       echo "Webhook registered successfully!";
   } else {
       echo "Registration failed: " . print_r($response->getErrors(), true);
   }
   ?>
   

5. Test with Shopify's Built-in Webhook Tester #

In the Partner Dashboard's Webhooks tab, click Send test notification for your app/uninstalled webhook. If you receive the test event, the webhook is working—any issues with real uninstalls might be isolated to specific merchant stores (e.g., the app was uninstalled before the webhook finished registering).

内容的提问来源于stack exchange，提问作者Mobashir