We send orders from online channels to a POS via an order webhook. View the guide on how to configure this webhook here.
Each call made to your order webhook includes an HMAC header (a HASH signature that we set based on the payload and a secret). It allows you to validate that we are the ones calling your endpoints. We use the SHA256 cryptographic hash function to calculate it.
The HMAC secret is configured for every integration partner and securely communicated to you when you move to our production environment. In our staging environment, the requests are signed using the channelLinkId as the HMAC secret. The channelLinkId is the id of the channel linked to the location of your staging account.
When calculating the HASH on your end, make sure you do this based on the payload as received and don't process, parse, or otherwise modify it beforehand.
There are various online resources that further explain HMAC (e.g. Wikipedia).
You can also verify HMAC with an online checker (e.g. FreeFormatter.com), as shown in the video below.
Updated almost 2 years ago