Authentication
Upon registration, your account manager will provide you with a webhook-secret
. This is distinct from your api-secret
that is used in API calls.
For every webhook request, this webhook secret and a sequential globally unique identifier (GUID) are used to generate a Hash-based message authentication code (HMAC) of the request payload. This GUID and generated HMAC are set as X-Deliveroo-Sequence-Guid
and X-Deliveroo-Hmac-Sha256
headers respectively on the webhook request.
When you receive a webhook request, you should use these headers to compute a digest and verify that it’s a genuine, authorized request sent from Deliveroo.
Updated about 2 years ago