MercatDevelopers
  1. Webhooks
MercatDevelopers
  • Getting Started
  • Auth
    • Authenticate client
      POST
  • Stores
    • List all stores
      GET
    • Get store details
      GET
  • Menus
    • Get menu details
      GET
  • Orders
    • Get order details
      GET
  • Webhooks
    • Webhooks
    • stores.update
    • orders.create
    • orders.update
    • menus.update
  1. Webhooks

Webhooks

Overview#

Mercat webhooks deliver real-time HTTP POST notifications about changes to stores, orders, and menus, eliminating the need to poll the API.

Configuration#

1.
Provide your endpoint URL and (optionally) a webhook secret during API setup
2.
Ensure your endpoint is publicly accessible via HTTPS
3.
The Mercat team will enable webhook delivery for your account

Event Types#

stores.update stores.update
orders.create orders.create
orders.update orders.update
menus.update menus.update

Event Structure#

{
  "client_id": "your-client-id",
  "event_id": "550e8400-e29b-41d4-a716-446655440000",
  "event_type": "orders.update",
  "event_timestamp": 1705348800,
  "api_version": "v1",
  "event_data": { }
}
FieldTypeDescription
client_idstringYour client identifier
event_idstring (UUID)Unique event identifier. Use for idempotency
event_typestringOne of: stores.update, orders.create, orders.update, menus.update
event_timestampintegerUnix timestamp when the event occurred
api_versionstringAPI version (currently v1)
event_dataobjectFull resource object (Store, Order, or Menu)

HTTP Request#

Method: POST
Headers:
HeaderDescription
Content-Typeapplication/json
X-Request-IdUnique UUID per request (useful for debugging)
X-Webhook-SecretYour configured secret (if set)
Timeout: 10 seconds. Your endpoint must respond within this time.

Endpoint Requirements#

Accept POST requests with JSON body
Respond with HTTP 200 within 10 seconds
Validate X-Webhook-Secret if configured
Handle duplicate event_id idempotently
Process heavy logic asynchronously (respond first, process after)

Security#

The X-Webhook-Secret header is the primary authentication mechanism.

Delivery Guarantees#

Retries: Failed deliveries (non-200 or timeout) are retried automatically with exponential backoff
Deduplication: Content-based deduplication prevents identical events from being sent twice. Use event_id for application-level idempotency
Ordering: Events are generally delivered in order per resource, but retries or network issues may cause occasional out-of-order delivery. Use event_timestamp to detect outdated events

Best Practices#

1.
Respond quickly -- return 200 OK before doing heavy processing
2.
Verify secret -- validate X-Webhook-Secret on every request
3.
Be idempotent -- deduplicate using event_id
Modified at 2026-02-17 15:09:13
Previous
Get order details
Next
stores.update
Built with