FlowRelay
Setup
Authenticate requests
FlowRelay authenticates incoming events before it records the receipt and hands a trigger to Shopify Flow.
Steps
Complete these in order.
- 01Ask the sender owner whether their system can sign requests with HMAC-SHA256.
- 02Choose HMAC-SHA256 when signing is available, then store the generated signing secret only in the sender system.
- 03Choose static-header auth only when the sender cannot sign requests, then store the generated header name and value privately.
- 04Send a synthetic test event and use the receipt to confirm authentication passed before connecting real production events.
- 05If authentication fails, share the FlowRelay error code or diagnostics package. Do not paste secrets, full headers, signatures, or raw request bodies into support.
Choose the authentication mode #
Prefer signed requests when the sender supports them. Use static-header authentication only when the sender cannot sign safely.
| Mode | Use when | Operator note |
|---|---|---|
| HMAC-SHA256 | The sender can sign the request body. | Best default for production senders because FlowRelay can verify the sender knows the shared secret. |
| Static-header auth | The sender cannot create HMAC signatures. | Keep the generated header value private and rotate it if it is exposed or the sender relationship changes. |
Success check #
A test receipt shows that authentication passed before you enable production traffic. If authentication fails, fix the sender configuration and send a new synthetic event.
Support-safe troubleshooting #
Share the FlowRelay error code or a diagnostics package when someone needs help. Do not share the secret, full header value, signature, raw body, Shopify token, session data, or copied merchant incident.
Delivered means FlowRelay handed the trigger to Shopify Flow. It does not mean downstream Shopify Flow branches, app calls, fulfillment changes, emails, or later systems completed.