Supplier Delivery Formats

Pick the right format

Suppliers vary wildly in tech sophistication. ShipWave supports five delivery formats so you don't have to force everyone into the same workflow. Configure the format on the supplier record under Delivery. You can switch later without losing history. As a rough guide: small suppliers and one-person operations love the portal; mid-size 3PLs prefer CSV email or SFTP; large operations want webhook or API.

Portal (login)

The default. Suppliers log in to /supplier/[slug] via magic link and act on pending requests in the UI. Best for low-volume suppliers who don't have engineering resources. No setup required beyond clicking Send Portal Invite. See the supplier portal article for what suppliers see and how the ship options work.

CSV email digest

ShipWave emails a daily CSV of pending orders to the supplier's primary contact at a time you choose (default 8:00 AM in the supplier's timezone). Columns are configurable—at minimum, order number, ship-to address, line items with supplierSku and qty. The supplier replies to the same thread with a CSV of tracking numbers, and the inbound parser at supplier-feeds@shipwave.app ingests them automatically. Best for suppliers who already work out of spreadsheets.

SFTP (file drop)

ShipWave drops a JSON or CSV order file to the supplier's SFTP server (or hosts a server they push to) on a schedule. Enter host, port, username, and either a password or upload a private SSH key. Pick the directory layout (one file per order, or one daily batch). Reverse flow: tracking numbers come back via the same SFTP path, in a folder named /inbound. Best for traditional 3PLs and ERP-driven suppliers.

Webhook (HMAC-signed POST)

ShipWave POSTs each new fulfillment request to a URL you configure on the supplier record. Payloads are JSON, signed with HMAC-SHA256 using a shared secret in the X-ShipWave-Signature header. Suppliers respond synchronously with a tracking number or asynchronously by calling back to our /api/supplier/fulfillment/[id]/confirm endpoint with their bearer token. Best for suppliers with their own dev team. Retries with exponential backoff for 24 hours on 5xx.

API (supplier polls us)

The supplier authenticates to https://shipwave.app/api/supplier with a per-supplier bearer token and polls /fulfillment/pending. They POST tracking back to /fulfillment/[id]/confirm. Same data model as the webhook flow but supplier-initiated—useful when the supplier's infrastructure can't accept inbound connections from us (corporate firewalls, allowlisted IPs).

Test connection and idempotency

Every delivery format has a Test Connection button on the supplier record. It sends a synthetic order through the configured path and shows you the round-trip result without touching real customer data. Every inbound tracking event is logged to the idempotency log—duplicate tracking pushes for the same fulfillment request are silently deduped, so retries are safe. The idempotency log is visible on each supplier page and retains 90 days of activity.

FAQs

Can I run two delivery formats at once?

Not for outbound (we pick one to avoid double-fulfillment). For inbound tracking, you can accept tracking via multiple channels at the same time—the idempotency log dedupes.

What's the webhook payload schema?

Linked from the supplier delivery settings page—OpenAPI 3 spec with sample payloads. Stable v1; we version any breaking changes.

How do I rotate the HMAC secret or API token?

Click "Rotate Credentials" on the supplier record. Old and new are both accepted for a 7-day grace window so the supplier can deploy at their pace.

What if a supplier never sends tracking back?

Same fallback as portal-mode: scorecard alert at 24h, escalation at 48h, optional reassignment. Independent of delivery format.