We send all order and menu data to channels using various webhooks (shown in our API documentation here).
We include an HMAC header with every call we make to your order webhook, which will allow you to validate that we are the ones calling your endpoints. It's a HASH signature based on the payload and a secret. We use the SHA256 cryptographic hash function to calculate it.
The HMAC secret is configured for every integration partner and securely provided to you when you move to our production environment. While in our staging environment, the request is signed using the
channelLinkId as HMAC secret.
When calculating the HASH on your end, make sure you do this based on the payload as received and don't process, parse, or otherwise modify it beforehand.
Various online resources further explain HMAC (e.g., Wikipedia).
You can verify an HMAC header with an online checker like FreeFormatter.com, as shown in the video below.
Updated about 1 month ago