Webhook Events#

API Reference

You can set webhooks through API that enable you to receive notifications about events that happen in your stores.

These are the events available to retrieve with webhooks:

  • NEW_ORDER: New orders
  • ORDER_EVENT_CANCEL: Order cancellation events. See Cancellation Events
  • ORDER_OTHER_EVENT: Order events. See Order Events
  • MENU_APPROVED: Menu approval events.
  • MENU_REJECTED: Menu rejection events.
  • PING: This event enables the health check procedure
  • STORE_CONNECTIVITY: This event enables the store connectivity information process. (When the store is available or unavailable to operate)

Use the endpoints of the Webhooks resource to register and test webhooks in your stores.

Security#

Our Public API has signatures for the security of its webhooks using a hash-based message authentication code (HMAC) with SHA-256 (Secure Hash Algorithm 2). Each request has its own signature which will come in the header with the name of Rappi-Signature and will have the following format

t=123456,sign=d74b65c2e68c1a84a4d5843a69ef5faf1d82f28df2dd3723e8e0dad9c54abc79

Validating Your Signature#

You can validate the signature that come in the header following the steps below

Important

To validate the signature, you will need the secret of your webhook.

  1. Extract the timestamp and signatures from the header.

    1.1 Separate with a comma "," to create a list.

    1.2 Separate each element again with "=" to obtain t and a sign.

    • t: Is the timestamp from the request
    • sign: Is the signature
  2. Create the signed_payload string by concatenating:

    • The timestamp
    • The character .
    • The actual payload

      Example:

      123456.{ "message" : "this is an example" }
      
  3. Compute an HMAC with the SHA256 hash function. Use the secret as the key, and use the signed_payload string as the message to determine the expected signature.

  4. Compare the signature in the header with the expected signature.

You can now ensure that the information is valid.

Note

Make sure you are taking the payload string in the same format that it arrives in order to avoid any differences in the signature

Health Check#

This is a procedure that run every minute to check the status of each store associated to a webhook. When a store is not available it will be turned off until it is available again

Important

This procedure will only be available for those stores that are using the NEW_ORDER webhook and are subscribed to PING

Behaviour#

A POST will be sent to the url configurated in the webhook with the following format:

{
    "store_id": 999
}

Where store_id represents the id of the store configurated on your side (external id)

The response should have the following format:

{
    "status": "OK",
    "description": "Tienda prendida"
}
  • status: this field is required, if the value is null or different to OK it will be considered as unavailable store.
  • description: this field is optional.

Store Connectivity#

Inform the configured url of the news about a store's availability change.

Behaviour#

A POST will be sent to the url configurated in the webhook with the following format:

{
    "external_store_id": "999",
    "enabled": false,
    "message": "The Store is not enabled to operate"
}

Where external_store_id (String) represents the id of the store configurated on your side.

Where enabled (boolean) represents with a binary value of the store is available to operate or not.

Where message (String) represents a message informing if the store is available or not.