Validate Requests
Introduction
We send all order and menu data to channels using various webhooks (shown in our API documentation here).
How to verify requests as coming from Deliverect
We include an HMAC header with every call we make to your order webhook, which will allow you to validate that we are the ones calling your endpoints. It's a HASH signature based on the payload and a secret. We use the SHA256 cryptographic hash function to calculate it.
The HMAC secret is configured for every integration partner and securely provided to you when you move to our production environment. While in our staging environment, the request is signed using the channelLinkId
as HMAC secret.
When calculating the HASH on your end, make sure you do this based on the payload as received and don't process, parse, or otherwise modify it beforehand.
Various online resources further explain HMAC (e.g., Wikipedia).
How to verify HMAC
You can verify an HMAC header with an online checker like FreeFormatter.com, as shown in the video below.
Updated 9 months ago