There is an unclarity in the docs regarding how to verify a signature. The method described in the Oauth page (http://docs.shopify.com/api/tutorials/oauth) is different than the one described in the webhook page (http://docs.shopify.com/api/tutorials/using-webhooks#verify-webhook)
In the Oauth there's a requirement to sort the request params, then concat it to the secret and then md5 it?
In the webhook it says to do an hmac/sha256 with the secret apart from the data?
Can you please shed some light here? Do I need to verify signatures differently in oauth and webhooks?
And - can you provide a working example in node.js ;-) ?