Register a publicly reachable HTTPS endpoint in the DoorDash Developer Portal under Webhooks
On each inbound POST, read the X-DoorDash-Signature header and compute an HMAC-SHA256 of the raw request body using your signing secret
Compare your computed signature to the header value; reject with HTTP 403 if they do not match to prevent spoofed status updates
Parse the event_type field to branch logic: delivery_status transitions include enroute_to_pickup, arrived_at_pickup, picked_up, arrived_at_dropoff, delivered, and cancelled
Respond with HTTP 200 immediately to acknowledge receipt; perform async processing afterward to avoid timeout retries
Store the external_delivery_id from each event to correlate updates with your internal order records
Known gotchas
Failing to return HTTP 200 within the timeout window causes DoorDash to retry the webhook with exponential backoff, potentially duplicating downstream actions — make your handler idempotent
Webhook payloads do not include full order details; fetch them separately from GET /drive/v2/deliveries/{external_delivery_id} if you need complete data
Signature verification must use the raw byte body before any JSON parsing; frameworks that pre-parse the body will cause signature mismatches
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp