The JSON request was too large to be deserialized.

I've been making heavy use of Sentry lately, which is an exception tracking service that you can use in your Shopify applications. Sentry has been invaluable so far, notably so in the webhooks controller that's responsible for handling webhook requests from Shopify.

It can be difficult to debug problems with your webhooks because there isn't a real human making the requests who can tell you when they've run into a problem. That's compounded by the fact that Shopify only tells you when webhooks fail — it doesn't tell you what happened unlike e.g. Stripe.

The fact that Shopify will just completely delete your webhook after giving you only 48 hours to diagnose and fix the problem is just icing on the cake.

Earlier today, while I was writing the next chapter of The Shopify Development Handbook, I got an email from Sentry about a new exception that I had never seen before.

The JSON request was too large to be deserialized

During a webhook request to my Shopify app's "OrderCreated" action, ASP.NET threw a "System.InvalidOperationException" exception, saying that "The JSON request was too large to be deserialized".

Sentry's error tracking.

After some investigation, I learned that the webhook's body contained a huge ShopifyOrder, and ASP.NET was trying to automatically deserialize it when the request came through. Strangely, it tries to do deserialize the body even when the ShopifyOrder wasn't passed as a parameter in the action's signature.

My first thought after seeing "request was too large" was that the request must have been too large — memory-wise — for ASP.NET's default request size. But that wasn't the case. The entire request only weighed in at a measly 4 kilobytes, nowhere near ASP.NET's default max of 4 megabytes.

It turns out that the request wasn't too big in terms of memory, but too big in terms of JSON properties. The order itself was remarkable in that it contained over 100 line items, but those line items are what caused ASP.NET to fail when deserializing the body.

To prevent DDOS attacks, ASP.NET will refuse to deserialize any JSON that has over 1000 property members. To visualize that, take a look at this example JSON:

Every single property in this JSON counts toward the maximum amount that ASP.NET will deserialize before throwing an exception. When you learn that each "line_item" has 22 properties itself, and that this particular order contained over 100 line items, it quickly becomes plausible that the order would reach far beyond the maximum 1000 properties.

Luckily, there's a way that you can increase that maximum. You can add the following key to the app settings in your project's web.config file:

That's all it takes to increase the maximum number of deserializable JSON properties. However, you need to be aware that Microsoft specifically set the number to 1000 to address a Denial of Service vulnerability in ASP.NET. Increasing the maximum here could potentially leave you vulnerable to attacks, so use this at your own risk.


Learn how to build rock solid Shopify apps with C# and ASP.NET!

Did you enjoy this article? I wrote a premium course for C# and ASP.NET developers, and it's all about building rock-solid Shopify apps from day one.

Enter your email here and I'll send you a free sample from The Shopify Development Handbook. It'll help you get started with integrating your users' Shopify stores and charging them with the Shopify billing API.

We won't send you spam. Unsubscribe at any time.