HMAC Authentication

When we call your endpoint

With every call we make to an endpoint on your system, we include an HMAC header. HMAC stands for Keyed-Hashing for Message Authentication code and is a HASH signature that we set based on the payload and a pre-shared secret.

Our HMAC signature is computed using the SHA256 cryptographic hash function with hex encoding and will show in the header of request as the example below. This will allow you to validate that we are the ones calling your endpoints. Implementing this means of authentication isn't a requirement.


HMAC secrets can only be provided on request to certified partners. Prior to being certified, requests are signed with the HMAC secret being substituted by either;

  • channelLink (present in most calls to partner endpoints)
  • locationId (applicable to Dispatch API integrations and Get Products webhook for POS integrations)

For more information about HMAC and how it works please visit wikipedia

ⓘ Computing HMAC
Ensure you capture the entire raw body of the JSON as a string without any transformations
ⓘ GET requests
To calculate HMAC for GET calls where there is no body payload, process with empty body