Validate Requests

Learn how to validate Deliverect webhook requests by verifying the HMAC header with the raw payload and the correct environment secret.

Introduction

Validate Deliverect webhook requests by recalculating the HMAC signature from the raw request payload and comparing it with the HMAC header

Prerequisites

Before you verify a request, collect these values:

  1. Copy the raw request payload exactly as Deliverect sent it.
  2. Copy the HMAC header value from the request.
  3. Use the correct HMAC secret:
    • In production, use the HMAC secret that Deliverect securely provides when you move to production.
    • In staging, use the channelLinkId as the HMAC secret.
đźš§

When calculating the HASH on your end, make sure you do this based on the payload as received and don't process, parse, or otherwise modify it beforehand.

Verify requests from Deliverect

Deliverect sends order and menu data to channels using webhooks (shown in our API documentation here). Each request to your order webhook includes an HMAC header.

HMAC (hash-based message authentication code) is a signature calculated from the raw payload and a secret. Deliverect calculates the HMAC with the SHA256 cryptographic hash function.

Verify the HMAC locally

To verify the request, calculate your own HMAC signature and compare it with the HMAC header value Deliverect sent.

1. Save the raw request body to a file named payload.json.
2. Run this command with your HMAC secret:

bashopenssl dgst -sha256 -hmac "<hmac-secret>" payload.json
3. Compare the generated SHA256 HMAC with the request's HMAC header value.
4. Accept the request only when the values match.

If the values do not match, reject the request and confirm that you used the unmodified payload and the correct secret for the environment.

Optional: Verify the HMAC with an online checker

You can also verify an HMAC header with an online checker like FreeFormatter.com. Use SHA256 as the algorithm, paste the raw payload as the input, and enter the correct HMAC secret.

The video below shows the same manual verification flow. If you cannot access the video, follow the written steps in this section.

Various online resources further explain HMAC (e.g., Wikipedia).