Webhook

Introduction

You will need to have a webhook server to be able to receive order status webhook notifications. These notifications will inform you of the status changes for each order, additional information about courier statuses and provide ratings of consumers on a purchase made. 

Types of Webhook notifications

Status Type Description 
"CREATED" Sent for all new orders which the merchant is receiving on WOLTs marketplace. 
"PRODUCTION"Sent after the order has been accepted by the venue staff, either automatically or manually. 
"READY" Sent if the merchants has completed the preparation or collection of the order. 
"CANCELED" Sent if the order has been “rejected” or has been “canceled” by Wolts support. 
"REVIEW" *optional Sent if a consumer has provided a review / rating of his order.  
"PICK-UP-COMPLETED" *optional Sent if the courier has complete the pick-up at the venue location. 
"COURIER ARRIVAL" *optional Sent X-min before the courier  is within a 150 radius of the venues location.
"DELIVERED"The order was DELIVERED to the consumer. 

Example Webhook JSON

{
  "id": "90f5c25cbbfb3d131a46e643",
  "type": "order.notification",
  "order": {
    "id": "90f5be47fc97e11107f8a480",
    "venue_id": "9a5c7e3102fe6a000c4b562b",
    "status": "PRODUCTION",
    "resource_url": "https://pos-integration-service.wolt.com/orders/90f5be47fc97e11107f8a480"
  },
  "created_at": "2021-07-19T18:20:12.378509Z"
}

Making use of the notification

Your system can fetch the order payload by using the resource_url field. You can also hardcode the base URL and use the order.id field's value to pull order details. Moreover, some notifications can be used to decide the order parsing moment for the POS or using it to submit reminder on pending order to venue staff.

Two Types of order payload

WARNING! The resource URL used in the notification body allows to poll an outdated order payload. As Wolt runs two versions of the order payload. Please clarify with your Technical Account Manager for further notice.

Webhook server security

Please provide a client secret that is different from the API key, cryptographically random and at least 128 bits in length. This will be used to sign the webhook body using HMAC-SHA256.

Wolt signs the request by generating a signature from the request body, using the client secret, and sending it alongside the request.

Wolt signature specification

  • Notifications are signed with HMAC-SHA256.

  • String format for the signature is HEX.

  • The signature is placed to the WOLT-SIGNATURE HTTP request header.

  • The secret key for generating the signature from the request body is the client secret

  • Client secret: example-hmac-sha256-wolt

To generate the signature of the body, use HMAC-SHA256 with the client secret provided to Wolt. Generate it from the request body (i.e. the notification), and compare it to the value in the wolt-signature header.

Expected response

We require a 200 on any incoming notification to acknowledge our notification was received correctly. Otherwise, the notification will fall back into the retry logic. 

Retry logic

We will submit the first retry after 10 milliseconds, followed by two additional retries each after 10 milliseconds.