UBER-EATS-Wrapper/docs/developer-portal/07-webhooks-audit.md

07 Webhooks Audit

Source checked: Uber Eats "Webhook" section shared by you.

Implemented Now

• Webhook signature verification using X-Uber-Signature:
  • HMAC SHA256 over raw request body
  • key = Uber client secret
• Optional webhook Basic Auth validation if configured in .env.
• Retry-safe de-duplication via deterministic webhook dedupe key.
• Response behavior aligned to doc:
  • return 200 with empty body on valid webhook receipt.
• Persisted webhook metadata includes:
  • event_type
  • resource_id
  • resource_href
  • signature and dedupe key

Existing Before

• Webhook endpoint already present.
• Event payload and headers persistence.

Pending

• Per-event downstream job workers (accept/deny SLA orchestration).
• Alerting if order accept/deny not sent before timeout window.
• Full typed schema validation per webhook event_type.