Upon registration, your account manager will provide you with a webhook-secret. This is distinct from your api-secret that is used in API calls.

For every webhook request, this webhook secret and a sequential globally unique identifier (GUID) are used to generate a Hash-based message authentication code (HMAC) of the request payload. This GUID and generated HMAC are set as X-Deliveroo-Sequence-Guid and X-Deliveroo-Hmac-Sha256 headers respectively on the webhook request.

When you receive a webhook request, you should use these headers to compute a digest and verify that it’s a genuine, authorized request sent from Deliveroo.