Deliveroo notifies you about order and rider events through webhooks. A hash-based message authentication code (HMAC) signature, included alongside the webhook payload, can be used to verify the event. You may read more about HMAC [here](🔗).
Once you have configured your webhook endpoints, we will provide a **webhook secret**. This secret is known only by you and Deliveroo. The verification signature is generated using the webhook secret.
## Verifying Signature
This guide describes how to verify the old webhook events, i.e `new_order` and `cancel_order` event types.
**Step 1: Extract the signature and GUID from request headers**
Retrieve the GUID and signature from the request headers `X-Deliveroo-Sequence-Guid` and
`X-Deliveroo-Hmac-Sha256`, respectively.
**Step 2: Prepare the signed payload**
Create the payload by concatenating the GUID and the request body,
separated by `
\n` (a newline character with a space before and after it) for legacy new_order and cancel_order webhooks in POS integration.separated by `
**Step 3: Determine the expected signature**
Compute an HMAC with the SHA256 hash function. Use the webhook secret as the key, and use the payload prepared in step 2 as the message.
**Step 4: Verify the signature**
Compare the signature you determined with the signature you retrieved from the request header. You may consider the event valid only if the two signatures match.
### Examples
## New Order And Rider Events Webhooks
This guide will help you how to verify the new order and rider events webhooks. There is a minor difference in verifying the new order and rider events webhooks. These webhook includes below events
`
order.new``
order.status_update``
rider.status_update`
**Step 1: Extract the signature and GUID from request headers**
Retrieve the GUID and signature from the request headers `X-Deliveroo-Sequence-Guid` and
`X-Deliveroo-Hmac-Sha256`, respectively.
**Step 2: Prepare the signed payload**
Create the payload by concatenating the GUID and the request body, separated by ` ` (a blank space).
**Step 3: Determine the expected signature**
Compute an HMAC with the SHA256 hash function. Use the webhook secret as the key, and use the payload prepared in step 2 as the message.
**Step 4: Verify the signature**
Compare the signature you determined with the signature you retrieved from the request header. You may consider the event valid only if the two signatures match.