Upon registration, your account manager will provide you with a
webhook-secret. This is distinct from your
api-secret that is used in API calls.
For every webhook request, this webhook secret and a sequential globally unique identifier (GUID) are used to generate a Hash-based message authentication code (HMAC) of the request payload. This GUID and generated HMAC are set as
X-Deliveroo-Hmac-Sha256 headers respectively on the webhook request.
When you receive a webhook request, you should use these headers to compute a digest and verify that it’s a genuine, authorized request sent from Deliveroo.
Updated 7 months ago