Webhooks

When the status changes in the OrderGer app, we POST a signed event to your webhook URL.

Events

• order.created
• order.accepted
• order.rejected (includes rejection_reason)
• order.preparing · order.waiting_for_courier · order.on_the_way
• order.delivered
• order.cancelled
• order.updated (includes changed_fields)

Headers we send

POST <your_webhook_url>
Content-Type: application/json
X-OrderGer-Event: order.accepted
X-OrderGer-Timestamp: 1782671913
X-OrderGer-Signature: sha256=<hex>
User-Agent: OrderGer-Webhook/1.0

Verify the signature

Compute HMAC-SHA256 of the raw body using your shared secret, hex-encoded, and compare it constant-time with what's in X-OrderGer-Signature (drop the sha256= prefix).

// Node
const expected = 'sha256=' + crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig))) return res.status(401).end();

// PHP
$expected = 'sha256=' . hash_hmac('sha256', $rawBody, $secret);
if (!hash_equals($expected, $signature)) http_response_code(401);

Retries

Failed deliveries (non-2xx, timeout) are retried with exponential backoff up to 5 attempts. View attempts in Integration Center → Webhooks → Logs. You can also manually retry any single failed delivery from the logs.

Sample body

{
  "event": "order.accepted",
  "orderger_order_id": "ord_xxx",
  "external_order_id": "WEB-10052",
  "business_id": "biz_xxx",
  "branch_id": "branch_xxx",
  "status": "preparing",
  "timestamp": 1782671913000
}