Authentication / Security

When we call your endpoint

With every call we make to an endpoint on your system, we include an HMAC header. HMAC stands for Keyed-Hashing for Message Authentication code and is a HASH signature that we set based on the payload and a pre-shared secret.

Our HMAC signature is computed using the SHA256 cryptographic hash function with hex encoding and will show in the header of request as the example below. This will allow you to validate that we are the ones calling your endpoints. Implementing this means of authentication isn't a requirement.


HMAC secrets can only be provided on request to certified partners. Prior to being certified, requests are signed with the HMAC secret being substituted by either;

  • channelLinkId (present in most calls to partner endpoints)
  • locationId (applicable to Dispatch API integrations and Get Products webhook for POS integrations)

For more information about HMAC and how it works please visit wikipedia


When calculating the HASH on your end, make sure you do this based on the payload i.e. bodyRaw as its received and don't process, parse or otherwise touch it before doing so.


GET requests

To calculate HMAC for GET calls where there is no body payload, body needs to be empty.

IP Whitelisting

You can also use IP whitelisting, preferably of our domains, which will allow us to add/change IPs if needed without impacting your security process.

Your endpoint will receive calls from these IP's:


IP Updates

Any changes to the IPs above will be well communicated in advance via our API updates mailers. Subscribe to receive updates here