Register your webhook URL in the Uber Direct Dashboard under the Developer > Webhooks tab; select event types such as event.delivery_status and event.courier_update
On each inbound webhook POST, extract the x-uber-signature header value
Compute a SHA-256 HMAC of the raw request body using your webhook signing key as the secret
Compare the computed hash to the x-uber-signature value; discard requests where they do not match
Return HTTP 200 to acknowledge; Uber retries on 5xx responses and network errors using exponential backoff
Known gotchas
The signing key is separate from your OAuth client secret — locate it in the Webhooks section of the dashboard, not the API credentials section
Using the parsed JSON body instead of the raw byte body for HMAC computation will produce a different hash and break verification for all events
event.courier_update fires frequently (often every few seconds during transit); design consumers to handle high volume without blocking
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp