Best practices for using webhooks

Follow these recommendations when working with webhooks.

Respond quickly

Respond to the request with 202 Accepted within two seconds. The request timeout is five seconds. Use a queue to store the event and process it later. This prevents timeout failures and ensures resilience to high volumes.

Validate the header using the body byte array

Validate the signature using the body byte array, without transformations. Don't alter or parse before validating. Use the raw request buffer to avoid inconsistencies.

Handle delays

There may be delays in event delivery. If an old event causes issues, compare the event timestamp with the current time.

Ignore duplicate events

You may receive the same event more than once. Implement idempotent operations. Identify duplicates by the event's id field.

Track failures

Monitor response codes and delivery metrics. Fix failures before they impact your users.

Look for dropped events and reconciliation routines

If your application goes offline, retrieve events from the last 8 hours through the polling endpoint. Use polling with lower frequency as fallback, for example, every 30 minutes.

Allow iFood IPs in the firewall

Ensure that the IPs below are whitelisted in your firewall to receive webhook requests:

34.202.11.230
34.228.183.194
44.207.41.97
44.208.105.236
54.85.55.192

We may change these IPs without prior notice. Always consult the documentation for the updated list.

For greater security, allow only the necessary IPs, avoiding whitelisting all external IPs.

Was this page helpful?

Rate your experience in the new Developer portal:

On this page