Swoop Developers

Authentication

There are two distinct trust boundaries in a Swoop POS integration. Keep them separate.

1. Webhooks into the adapter — shared-secret token

Every status webhook and every Pub/Sub push delivery must carry a shared-secret token as the token query parameter:

POST /webhook/{integration}/{locationId}?token=YOUR_WEBHOOK_TOKEN

This token authenticates that the caller is allowed to deliver events. It does not identify a specific order or member.

Webhook payload verification

The adapter passes all request headers through to your provider's WebhookTranslator. If your POS signs webhooks (e.g. an HMAC over the body), verify that signature inside TranslateWebhook before trusting the payload — the token guards the endpoint, the signature guards the message. A payload that fails verification should be treated as poison: return no event so the adapter acks and drops it (see Errors).

2. The adapter into your POS — provider credentials

When the adapter calls your POS to create an order, it authenticates with credentials you define in the provider's tenant config (ProviderConfig). These are provider-specific and stored server-side as secrets — never in the spec or in source.

Example: an OAuth2 integration

A common pattern is OAuth2 authorization-code + refresh:

Your integration chooses its own auth scheme — API key, OAuth, mTLS — by reading whatever keys it needs from its tenant config. Swoop stores those keys server-side as secrets and supplies them at startup.

Secrets handling