Validate Requests


We send all order and menu data to channels using various webhooks (shown in our API documentation here).

How to verify requests as coming from Deliverect

We include an HMAC header with every call we make to your order webhook, which will allow you to validate that we are the ones calling your endpoints. It's a HASH signature based on the payload and a secret. We use the SHA256 cryptographic hash function to calculate it.

The HMAC secret is configured for every integration partner and securely provided to you when you move to our production environment. While in our staging environment, the request is signed using the channelLinkId as HMAC secret.


When calculating the HASH on your end, make sure you do this based on the payload as received and don't process, parse, or otherwise modify it beforehand.

Various online resources further explain HMAC (e.g., Wikipedia).

How to verify HMAC

You can verify an HMAC header with an online checker like, as shown in the video below.