In the DoorDash Developer Portal, register a new webhook endpoint URL for your integration environment, selecting the relevant event types
Note the signing secret provided at registration time; store it in a secrets manager rather than in application config
To rotate the secret, add a secondary endpoint with the same URL but a new secret before deleting the old registration, enabling dual validation during rollover
In your webhook handler, validate both the old and new secrets during the overlap window by trying each HMAC-SHA256 verification in sequence
Once all traffic is confirmed flowing with the new signature, remove the old endpoint registration from the portal
Run an end-to-end test by triggering a sandbox delivery event and confirming the handler accepts the new signature
Known gotchas
DoorDash webhook signing uses HMAC-SHA256 over the raw request body; any middleware that re-serializes the body before your handler will break signature verification
There is no portal-level replay mechanism for missed events during a secret rotation; maintain idempotent order state to survive a brief gap
The Developer Portal does not support multiple active secrets per endpoint; the dual-endpoint trick is the only safe rotation pattern
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp