New order created klikitordercreatedv2
When this fires. A customer placed an order through one of klikit’s surfaces (aggregator marketplace, direct ordering web, kiosk) for one of your branches. This is the moment you should ring the kitchen / send the ticket to the POS.
What you’ll receive. A JSON { brand_id, branch_id, orders }
envelope. orders is an array; today it’s almost always
length 1, but klikit is permitted to batch several brand-new
orders into a single delivery if they land in the same tick.
Each entry has the same shape as
getOrder.
What to do.
- Verify the
x-klikit-signatureheader (see Webhooks overview). - Dedupe on
x-klikit-event-id— your handler will see the same id twice if a previous delivery failed. - Return HTTP 2xx within 10 seconds, then process asynchronously.
Failed deliveries (non-2xx, timeouts, transport errors) are
retried by klikit with backoff and persisted in
hookit.webhook_logs. Ask your klikit operator if you need a
replay after recovering from downtime.
Authorizations
Authorization: Basic base64(partner_key:secret_key).
Credentials are issued by a klikit operator. The plaintext
secret_key is shown once at issuance and cannot be retrieved
later — store it securely. If lost, ask your operator to rotate
the secret to receive a new one. The old secret stops working
immediately on rotation; there is no overlap window.
Headers
HMAC-SHA256 over the raw request body using your
webhook_secret_key, hex-encoded.
Verify exactly like this on your side (Go example, same shape in any language):
h := hmac.New(sha256.New, []byte(secret))
h.Write(rawBody)
expected := hex.EncodeToString(h.Sum(nil))
if !hmac.Equal([]byte(expected), []byte(r.Header.Get("x-klikit-signature"))) {
http.Error(w, "forbidden", http.StatusForbidden)
return
}Two things that trip people up:
- Use the raw body, not a re-marshalled struct. Decoded → re-encoded JSON has different byte order / whitespace and will fail verification. Read the body bytes first, verify, then unmarshal.
- The
webhook_secret_keyis issued during partner onboarding by your klikit operator. It's a per-partner secret stored alongside your vendor record — not the same as your partner APIsecret_key.
Stable per-delivery id. Use it to de-dupe replays.
Body
Body that klikit POSTs to your registered webhook URL for the
three order events (klikit.order.created.v2,
klikit.order.status.updated, klikit.order.cart.updated).
Same envelope shape for all three; the orders array carries
full order records (same shape as
getOrder returns).
Envelope klikit POSTs to your webhook URL for all three order
events. The orders array is the same order record shape
returned by getOrder — including
payment.status, payment.method, payment.channel,
cart[], and the OrderStatus numeric code.
Brand id the order belongs to. Use this together with branch_id to route the event inside your system.
Branch id the order belongs to.
One or more order records. Most deliveries carry a single order; batches happen when multiple orders land in the same hookit tick.
Response
Acknowledged