Checking signatures

On registration, we’ll provide you with a webhook secret. We’ll use the webhook secret and a sequential globally unique identifier (GUID) to generate a hash of the order payload. When you receive a POST request, you will be able to compute a hash and verify that it’s a genuine, authorised request sent from Deliveroo.

Read more about Hash-based message authentication code (HMAC).

Example webhook headers

X-Deliveroo-Sequence-Guid: 1499765769
X-Deliveroo-Hmac-Sha256: cc28251639033853f1cd1f8bde5a75cefba53c7c991d2b0db848b6747e258678

Ruby example to generate a HMAC

require "openssl"

webhook_secret = "your_webhook_secret" 
sequence_guid = "our_sequence_guid"
payload = "our_payload"

digest ='sha256')
data = "#{sequence_guid} \n #{payload}" 
OpenSSL::HMAC.hexdigest(digest, webhook_secret, data)

C# example to generate HMAC

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Security.Cryptography;
using System.Text.RegularExpressions;

namespace Rextester
    public class Program
       public static void Main (string[] args) {
        string webhook_secret = "your_webhook_secret";
        string sequence_guid = "our_sequence_guid";
        string payload = "our_payload";

        string data = string.Format("{0} \n {1}", sequence_guid, payload);

        byte[] keyByte = new ASCIIEncoding().GetBytes(webhook_secret);
        byte[] messageBytes = new ASCIIEncoding().GetBytes(data);

        byte[] hashmessage = new HMACSHA256(keyByte).ComputeHash(messageBytes);
        Console.WriteLine(string.Concat(Array.ConvertAll(hashmessage, x => x.ToString("x2"))));