Visit https://2567.prd-s5y-hook-receiver-c33e.prod.shopifyapps.com/auth/token through the IAP-protected hostname to create a token and browser cookie.
Create a webhook subscription using the url of this site with any path segment. For example:
https://2567.prd-s5y-hook-receiver-c33e.prod.shopifyapps.com/my_unique_path
Send Authorization: Bearer <token> when reading, writing, or deleting webhooks outside that browser. Known Captain Hook delivery paths can still receive webhook POSTs without this token.
How does this work?
The body of authenticated POST requests to any path segment are stored in a database. Known Captain Hook delivery paths are also accepted without a hook-receiver token. Authenticated GET requests load webhooks that have been received.
Who can create, read, and delete webhooks on this site?
Shopify employees can create a 168-hour bearer token through the IAP-protected token page. The browser receives the token as a secure cookie. Webhook reads, deletes, MCP requests, and non-Captain Hook writes require that token or IAP identity.