KModules
Authentication
Merchant
Catalog
Order
Events
Logistics
Shipping
Review
Financial
Solutions
Overview
The webhook sends one event perHTTP POST request with Content-Type: application/json with the following parameters:- Header:
X-IFood-Signatureused to verify if the request came from iFood.
Check here how webhook request signature works and how to use it for validation.
- Request body: a JSON that can follow two formats: -Order events -Presence events
Examples
Curl
Curl example assumingSECRET: "dummysecret":curl --location 'http://localhost:8080/webhook' \
--header 'X-IFood-Signature: 6f9ed23a7b505a3b6907c5f6eb2ad1b056fbf35a643d365a9a072ed7aabca153' \
--header 'Content-Type: application/json' \
--data '{"code":"PLC","createdAt":"2023-02-20T18:19:03.20162269Z","fullCode":"PLACED","id":"a38ba215-f949-4b2c-982a-0582a9d0c10e","merchantId":"cad65e8f-6fc6-438a-b159-e64a902a6b9a","orderId":"2c97e104-35ed-4c18-85d7-854a40b6b9e3"}'Request with extra spaces
Check the example of a request with payload equivalent to the first example, just with some extra spaces that affect the signature, but equally valid:curl --location 'http://localhost:8080/webhook' \
--header 'X-IFood-Signature: cf7e092c9148a48f5ee5f12b947f46b331eac6bf0745e1e1d0f3df722e219df3' \
--header 'Content-Type: application/json' \
--data '{ "code":"PLC", "createdAt":"2023-02-20T18:19:03.20162269Z", "fullCode":"PLACED", "id":"a38ba215-f949-4b2c-982a-0582a9d0c10e", "merchantId":"cad65e8f-6fc6-438a-b159-e64a902a6b9a", "orderId":"2c97e104-35ed-4c18-85d7-854a40b6b9e3" }'Formatted request
Check the example of another request with equivalent payload, now formatted for easier reading, which also results in another equally valid signature:curl --location 'http://localhost:8080/webhook' \
--header 'X-IFood-Signature: adf5446334f754e73588f3ae10b308306307f0c797f7f678912d740c6deddf6a' \
--header 'Content-Type: application/json' \
--data '{
"code":"PLC",
"createdAt":"2023-02-20T18:19:03.20162269Z",
"fullCode":"PLACED",
"id":"a38ba215-f949-4b2c-982a-0582a9d0c10e",
"merchantId":"cad65e8f-6fc6-438a-b159-e64a902a6b9a",
"orderId":"2c97e104-35ed-4c18-85d7-854a40b6b9e3"
}'Request with changed property order
Check the example of a request with equivalent payload, but with changed property order, which also results in another signature:curl --location 'http://localhost:8080/webhook' \
--header 'X-IFood-Signature: e2d26f22f89932ff3d23a699031b22d6f30323501430dc08c3a971dd875e23b5' \
--header 'Content-Type: application/json' \
--data '{"merchantId":"cad65e8f-6fc6-438a-b159-e64a902a6b9a","orderId":"2c97e104-35ed-4c18-85d7-854a40b6b9e3","code":"PLC","createdAt":"2023-02-20T18:19:03.20162269Z","fullCode":"PLACED","id":"a38ba215-f949-4b2c-982a-0582a9d0c10e"}'What to respond to the webhook
Send a response with202 Accepted status code within 5 seconds to confirm event receipt. The system considers this response as successful and will not attempt to resend the event. We ignore the response body, except in internal audits for delivery failures. In those cases, send the response in the specified format.Error cases
The purpose of the webhook request is to integrate the event successfully. Use error responses only to indicate integration failure, i.e., when the server did not receive or process the event correctly.The webhook recognizes HTTP 5xx errors as reception or processing failures. The system only retries for this class of errors.Error responses impact the retry flow and should only be used when it's necessary to attempt delivery again.When returning an error, send the payload specified below to detail the reason in internal audit. We ignore any other formats or fields, like XML.{
"error": "error message"
}If all delivery attempts fail, the webhook discards the event. The system will not make new delivery attempts for that event.
202 after 5 seconds, the system will still attempt to resend the event.See also
Was this page helpful?
Rate your experience in the new Developer portal: