Webhook Events#
You can set webhooks through API that enable you to receive notifications about events that happen in your stores.
These are the events available to retrieve with webhooks:
NEW_ORDER
: New ordersORDER_EVENT_CANCEL
: Order cancellation events. See Cancellation EventsORDER_OTHER_EVENT
: Order events. See Order EventsMENU_APPROVED
: Menu approval events.MENU_REJECTED
: Menu rejection events.PING
: This event enables the health check procedureSTORE_CONNECTIVITY
: This event enables the store connectivity information process. (When the store is available or unavailable to operate)
Use the endpoints of the Webhooks resource to register and test webhooks in your stores.
Security#
Our Public API has signatures for the security of its webhooks using a hash-based message authentication code (HMAC) with SHA-256 (Secure Hash Algorithm 2). Each request has its own signature which will come in the header with the name of Rappi-Signature and will have the following format
t=123456,sign=d74b65c2e68c1a84a4d5843a69ef5faf1d82f28df2dd3723e8e0dad9c54abc79
Validating Your Signature#
You can validate the signature that come in the header following the steps below
Important
To validate the signature, you will need the secret
of your webhook.
-
Extract the timestamp and signatures from the header.
1.1 Separate with a comma "," to create a list.
1.2 Separate each element again with "=" to obtain
t
and asign
.t
: Is the timestamp from the requestsign
: Is the signature
-
Create the
signed_payload
string by concatenating:- The timestamp
- The character
.
-
The actual payload
Example:
123456.{ "message" : "this is an example" }
-
Compute an HMAC with the SHA256 hash function. Use the secret as the key, and use the
signed_payload
string as the message to determine the expected signature. -
Compare the signature in the header with the expected signature.
You can now ensure that the information is valid.
Note
Make sure you are taking the payload string in the same format that it arrives in order to avoid any differences in the signature
Health Check#
This is a procedure that run every minute to check the status of each store associated to a webhook. When a store is not available it will be turned off until it is available again
Important
This procedure will only be available for those stores that are using the NEW_ORDER webhook and are subscribed to PING
Behaviour#
A POST
will be sent to the url configurated in the webhook with the following format:
{
"store_id": 999
}
Where store_id represents the id of the store configurated on your side (external id)
The response should have the following format:
{
"status": "OK",
"description": "Tienda prendida"
}
- status: this field is required, if the value is null or different to OK it will be considered as unavailable store.
- description: this field is optional.
Store Connectivity#
Inform the configured url of the news about a store's availability change.
Behaviour#
A POST
will be sent to the url configurated in the webhook with the following format:
{
"external_store_id": "999",
"enabled": false,
"message": "The Store is not enabled to operate"
}
Where external_store_id (String) represents the id of the store configurated on your side.
Where enabled (boolean) represents with a binary value of the store is available to operate or not.
Where message (String) represents a message informing if the store is available or not.