Order cart changed klikitordercartupdated
When this fires. A customer or operator edited the items or quantities on an in-progress order before it was finalised — added an item, removed one, changed a quantity, or swapped a modifier. Subscribe to this only if you mirror live cart state into your POS (e.g. for a kitchen display that wants to prep ahead of the final ACCEPTED event).
What you’ll receive. The same { brand_id, branch_id, orders } envelope. The cart array on each order record
reflects the new line-item state — treat it as the
replacement, not as a delta.
What to do. Verify the signature, dedupe on
x-klikit-event-id, return 2xx within 10 seconds, then
replace your local cart state. See the verification recipe
and code samples in the Webhooks overview.
Authorizations
Authorization: Basic base64(partner_key:secret_key).
Credentials are issued by a klikit operator. The plaintext
secret_key is shown once at issuance and cannot be retrieved
later — store it securely. If lost, ask your operator to rotate
the secret to receive a new one. The old secret stops working
immediately on rotation; there is no overlap window.
Headers
HMAC-SHA256 over the raw request body using your
webhook_secret_key, hex-encoded.
Verify exactly like this on your side (Go example, same shape in any language):
h := hmac.New(sha256.New, []byte(secret))
h.Write(rawBody)
expected := hex.EncodeToString(h.Sum(nil))
if !hmac.Equal([]byte(expected), []byte(r.Header.Get("x-klikit-signature"))) {
http.Error(w, "forbidden", http.StatusForbidden)
return
}Two things that trip people up:
- Use the raw body, not a re-marshalled struct. Decoded → re-encoded JSON has different byte order / whitespace and will fail verification. Read the body bytes first, verify, then unmarshal.
- The
webhook_secret_keyis issued during partner onboarding by your klikit operator. It's a per-partner secret stored alongside your vendor record — not the same as your partner APIsecret_key.
Stable per-delivery id. Use it to de-dupe replays.
Body
Body that klikit POSTs to your registered webhook URL for the
three order events (klikit.order.created.v2,
klikit.order.status.updated, klikit.order.cart.updated).
Same envelope shape for all three; the orders array carries
full order records (same shape as
getOrder returns).
Envelope klikit POSTs to your webhook URL for all three order
events. The orders array is the same order record shape
returned by getOrder — including
payment.status, payment.method, payment.channel,
cart[], and the OrderStatus numeric code.
Brand id the order belongs to. Use this together with branch_id to route the event inside your system.
Branch id the order belongs to.
One or more order records. Most deliveries carry a single order; batches happen when multiple orders land in the same hookit tick.
Response
Acknowledged