UBER-EATS-Wrapper/docs/developer-portal/07-webhooks-audit.md

07 Webhooks Audit

Source checked: Uber Eats "Webhook" section shared by you.

Implemented Now

• Webhook signature verification using X-Uber-Signature:
  • HMAC SHA256 over raw request body
  • key = Uber client secret
• Optional webhook Basic Auth validation if configured in .env.
• Retry-safe de-duplication via deterministic webhook dedupe key.
• Response behavior aligned to doc:
  • return 200 with empty body on valid webhook receipt.
• Persisted webhook metadata includes:
  • event_type
  • resource_id
  • resource_href
  • signature and dedupe key
• Added explicit event handling for store.menu_refresh_request:
  • mapped via store_id
  • records latest menu refresh request metadata on uber_connections
  • stores webhook UUID and X-Environment marker
• Added explicit event handling for eats.report.success:
  • maps by job_id / workflow_id
  • marks report jobs completed
  • persists report sections metadata for download orchestration

Existing Before

• Webhook endpoint already present.
• Event payload and headers persistence.

Pending

• Per-event downstream job workers (accept/deny SLA orchestration).
• Alerting if order accept/deny not sent before timeout window.
• Full typed schema validation per webhook event_type.