Checks if a delivery is eligible according to the delivery time and travel distance.

Create delivery request

You will notice this request parameters and the Check eligibility ones are the same.

⚠️ Calling this route immediately creates a valid delivery in our system and available for all shoppers.

If you need to validate a delivery without creating it, use the eligibility route.

Any updates on the created delivery will be done by our Customer Service.

To cancel a delivery, please refer to the next part of this document.

Authentication

api_key and partner_id can be provided in the header (better) or in the body

Return the latest status of a delivery.

Return all the events that occured on a delivery.

Webhook used to send events occuring on a delivery. Those events can be a status change, or a delivery slot modification for example. To use webhooks, you have to give us the URL to use to send you this information.

Validating Webhook Signatures

To ensure the integrity and authenticity of the webhook events received from our API, it's crucial to verify the signature sent with each request. This guide provides instructions on validating webhook payloads. Each webhook request includes a signature in the X-Shopopop-Signature-256 header. Use this signature to verify the payload's integrity by computing the expected hash and comparing it to the received hash.

Creating a Secret Token

Ask our team to generate a secret token using a high-entropy string, which will be used to compute a hash signature for each payload. When creating a new webhook, input this token into the appropriate field in your configuration settings.

Storing the Secret Token Securely

Store the token in a secure location accessible by your server's environment. Avoid hardcoding it directly into your codebase or version control systems.

Plain example

Given this payload:

{
  "date": "2023-12-19T15:00:00.000Z",
  "deliveryId": "PARTNERREF12345",
  "event": "DELIVERY_ADDED"
}

With this signatureKey : 12345-abcde-£.?./+
Header will be prefixed with sha256= so an example header given the signatureKey and payload above :

X-Shopopop-Signature-256 : sha256=0dd4e829b49855c4238ca56b9cc241aee35106274124ca656ace52b277cc07dc

Verifying Webhook Payloads

JavaScript Example:

const crypto = require('crypto');

function verifySignature(payload, receivedSig, secret) {
    const hash = crypto.createHmac('sha256', secret)
                       .update(payload)
                       .digest('hex');
    const expectedSig = `sha256=${hash}`;
    return crypto.timingSafeEqual(Buffer.from(expectedSig), Buffer.from(receivedSig));
}

// Example usage
const payload = JSON.stringify(request.body);
const receivedSig = request.headers['x-shopopop-signature-256'];
const secret = process.env.SIGNATURE_KEY;

if (!verifySignature(payload, receivedSig, secret)) {
    console.error('Invalid signature');
}

Python Example:

import hmac
import hashlib

def verify_signature(payload, received_sig, secret):
    hash = hmac.new(secret.encode(), msg=payload.encode(), digestmod=hashlib.sha256).hexdigest()
    expected_sig = f'sha256={hash}'
    return hmac.compare_digest(expected_sig, received_sig)

# Example usage
payload = request.get_data(as_text=True)
received_sig = request.headers.get('X-Shopopop-Signature-256')
secret = os.getenv('SIGNATURE_KEY')

if not verify_signature(payload, received_sig, secret):
    print('Invalid signature')

Troubleshooting

If the signature verification fails:

• Ensure the secret token is correct and securely stored.
• Confirm that the X-Shopopop-Signature-256 header is being used.
• Make sure the payload and headers are not modified in transit, possibly by middleware or proxies.
• Ensure that the payload is handled as UTF-8 to accommodate any unicode characters.

By following these guidelines, you can secure your webhook interactions against unauthorized and tampered requests.