Skip to main content

Webhook Security

Verifying webhooks

When you receive a webhook, verify it came from Wava before processing it. We recommend:
  1. Check the source IP — Webhooks originate from Wava’s servers. Contact support for the current IP allowlist.
  2. Verify the order — After receiving a webhook, call GET /v1/orders/{orderId} with your merchant key to confirm the order status matches what the webhook reported.
  3. Use HTTPS — Always use an HTTPS endpoint for your webhook URL in production.

Idempotency

Your webhook handler should be idempotent — processing the same webhook multiple times should produce the same result. Wava may send the same webhook more than once in rare cases (retries, network issues). Use the id_order or id_external field to deduplicate incoming webhooks.
Never trust webhook data alone for critical business logic (e.g., shipping an order). Always verify the order status via the API before taking action.