Register your application in the Uber Developer Dashboard and request the required OAuth scopes including eats.order and eats.store.orders.read.
Configure your webhook endpoint URL in the Uber Eats integration settings for the merchant stores you are managing.
When an order notification webhook arrives, extract the X-Uber-Signature header from the request.
Compute an HMAC-SHA256 signature of the raw request body using your client secret as the key, then lowercase the hexadecimal digest.
Compare your computed signature to the value in X-Uber-Signature; reject requests where the signatures do not match to prevent spoofed order injections.
Respond with HTTP 200 and an empty body immediately after signature validation; then process the order asynchronously and call the accept_pos_order or deny_pos_order endpoint within 11.5 minutes.
Known gotchas
You must explicitly call accept_pos_order or deny_pos_order within 11.5 minutes of receiving the order webhook; Uber Eats does not treat a 200 acknowledgment as order acceptance — missing this window causes the order to time out and auto-cancel.
The X-Uber-Signature is computed over the raw request body before any JSON parsing; always read the raw bytes for signature verification, not a re-serialized JSON object, to avoid signature mismatches.
Uber Eats Marketplace API access requires six specific OAuth scopes; missing any one of them will cause certain API calls (such as eats.store.status.write) to fail silently or with opaque permission errors.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp