diff --git a/CHANGELOG.md b/CHANGELOG.md
index 03592334b..ed10152a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
 
+- Return a 401 instead of 403 when webhooks fail validation [#425](https://github.com/Shopify/shopify-api-node/pull/425)
 - Add optional new methods `deleteSession` and `findSessionsByShop` to `SessionStorage`, with the corresponding implementations for the various session storage adapters [#418](https://github.com/Shopify/shopify-api-node/pull/418)
 
 ## [4.1.0] - 2022-07-14
diff --git a/src/webhooks/__tests__/registry.test.ts b/src/webhooks/__tests__/registry.test.ts
index e88c85887..8d0975cc0 100644
--- a/src/webhooks/__tests__/registry.test.ts
+++ b/src/webhooks/__tests__/registry.test.ts
@@ -387,7 +387,7 @@ describe('ShopifyWebhooks.Registry.process', () => {
       .expect(StatusCode.Ok);
   });
 
-  it('handles the request and returns Forbidden when topic is not registered', async () => {
+  it('handles the request and returns Not Found when topic is not registered', async () => {
     ShopifyWebhooks.Registry.addHandler('NONSENSE_TOPIC', {
       path: '/webhooks',
       webhookHandler: genericWebhookHandler,
@@ -409,10 +409,10 @@ describe('ShopifyWebhooks.Registry.process', () => {
       .post('/webhooks')
       .set(headers({hmac: hmac(Context.API_SECRET_KEY, rawBody)}))
       .send(rawBody)
-      .expect(StatusCode.Forbidden);
+      .expect(StatusCode.NotFound);
   });
 
-  it('handles the request and returns Forbidden when hmac does not match', async () => {
+  it('handles the request and returns Unauthorized when hmac does not match', async () => {
     ShopifyWebhooks.Registry.addHandler('PRODUCTS', {
       path: '/webhooks',
       webhookHandler: genericWebhookHandler,
@@ -434,7 +434,7 @@ describe('ShopifyWebhooks.Registry.process', () => {
       .post('/webhooks')
       .set(headers({hmac: hmac('incorrect secret', rawBody)}))
       .send(rawBody)
-      .expect(StatusCode.Forbidden);
+      .expect(StatusCode.Unauthorized);
   });
 
   it('fails if the given body is empty', async () => {
diff --git a/src/webhooks/registry.ts b/src/webhooks/registry.ts
index 6487ff3a8..3abc87913 100644
--- a/src/webhooks/registry.ts
+++ b/src/webhooks/registry.ts
@@ -422,13 +422,13 @@ const WebhooksRegistry: RegistryInterface = {
               responseError = error;
             }
           } else {
-            statusCode = StatusCode.Forbidden;
+            statusCode = StatusCode.NotFound;
             responseError = new ShopifyErrors.InvalidWebhookError(
               `No webhook is registered for topic ${topic}`,
             );
           }
         } else {
-          statusCode = StatusCode.Forbidden;
+          statusCode = StatusCode.Unauthorized;
           responseError = new ShopifyErrors.InvalidWebhookError(
             `Could not validate request for topic ${topic}`,
           );