Order status changed klikitorderstatusupdated
When this fires. An existing order moved to a new state. That includes the forward path (PLACED → ACCEPTED → PREPARING → READY → DISPATCHED → DELIVERED) and the cancellation path (anything → CANCELLED). Use this to keep your own order view in sync with klikit’s source of truth without polling.
What you’ll receive. The same { brand_id, branch_id, orders } envelope as klikit.order.created.v2. The status
field on each order record reflects the new state —
decode it via
OrderStatus.
What to do. Verify the signature, dedupe on
x-klikit-event-id, return 2xx within 10 seconds, then
update your own order record. See the verification recipe
and code samples in the Webhooks overview.
Authorizations
Authorization: Basic base64(partner_key:secret_key).
Credentials are issued by a klikit operator. The plaintext
secret_key is shown once at issuance and cannot be retrieved
later — store it securely. If lost, ask your operator to rotate
the secret to receive a new one. The old secret stops working
immediately on rotation; there is no overlap window.
Headers
HMAC-SHA256 over the raw request body using your
webhook_secret_key, hex-encoded.
Verify exactly like this on your side (Go example, same shape in any language):
h := hmac.New(sha256.New, []byte(secret))
h.Write(rawBody)
expected := hex.EncodeToString(h.Sum(nil))
if !hmac.Equal([]byte(expected), []byte(r.Header.Get("x-klikit-signature"))) {
http.Error(w, "forbidden", http.StatusForbidden)
return
}Two things that trip people up:
- Use the raw body, not a re-marshalled struct. Decoded → re-encoded JSON has different byte order / whitespace and will fail verification. Read the body bytes first, verify, then unmarshal.
- The
webhook_secret_keyis issued during partner onboarding by your klikit operator. It's a per-partner secret stored alongside your vendor record — not the same as your partner APIsecret_key.
Stable per-delivery id. Use it to de-dupe replays.
Body
Body that klikit POSTs to your registered webhook URL for the
three order events (klikit.order.created.v2,
klikit.order.status.updated, klikit.order.cart.updated).
Same envelope shape for all three; the orders array carries
full order records (same shape as
getOrder returns).
Envelope klikit POSTs to your webhook URL for all three order
events. The orders array is the same order record shape
returned by getOrder — including
payment.status, payment.method, payment.channel,
cart[], and the OrderStatus numeric code.
Brand id the order belongs to. Use this together with branch_id to route the event inside your system.
Branch id the order belongs to.
One or more order records. Most deliveries carry a single order; batches happen when multiple orders land in the same hookit tick.
Response
Acknowledged