# 07 Webhooks Audit

Source checked: Uber Eats "Webhook" section shared by you.

## Implemented Now

- Webhook signature verification using `X-Uber-Signature`:
  - HMAC SHA256 over raw request body
  - key = Uber client secret
- Optional webhook Basic Auth validation if configured in `.env`.
- Retry-safe de-duplication via deterministic webhook dedupe key.
- Response behavior aligned to doc:
  - return `200` with empty body on valid webhook receipt.
- Persisted webhook metadata includes:
  - `event_type`
  - `resource_id`
  - `resource_href`
  - signature and dedupe key
- Added explicit event handling for `store.menu_refresh_request`:
  - mapped via `store_id`
  - records latest menu refresh request metadata on `uber_connections`
  - stores webhook UUID and `X-Environment` marker

## Existing Before

- Webhook endpoint already present.
- Event payload and headers persistence.

## Pending

- Per-event downstream job workers (accept/deny SLA orchestration).
- Alerting if order accept/deny not sent before timeout window.
- Full typed schema validation per webhook `event_type`.