We send all order/menu data via various webhooks (shown in our API documentation here).
We include an HMAC header with every call we make to your order webhook, which will allow you to validate that we are the ones calling your endpoints. It's a HASH signature based on the payload and a secret. We use the SHA256 cryptographic hash function to calculate it.
The HMAC secret is configured for every integration partner and securely provided to you when you move to our production environment. While in our staging environment, the request is signed using the channelLinkId as HMAC secret.
When calculating the HASH on your end, make sure you do this based on the payload as received and don't process, parse, or otherwise modify it beforehand.
There are various online resources that further explain HMAC (e.g. Wikipedia).
You can also verify HMAC with an online checker (e.g. FreeFormatter.com), as shown in the video below.
Updated over 1 year ago