Deeplink format

Anatomy of a deeplink

https://www.doordash.com/rx/{merchant_tag}?store_id=...&item=...&signature=...

IMPORTANT NOTE

Merchants should not, under any circumstances, provide DoorDash with any identifying patient data or Protected Health Information related to the prescription order within the deeplink.

Path parameters

Parameter	Type	Required	Description
merchant_tag	string	Yes	The unique pharmacy identifier for the merchant.

Query parameters

Parameter	Type	Required	Repeatable	Description
store_id	string	Yes	No	The unique identifier for the merchant's store.
item	string	Yes	Yes	Encodes the prescription details in the format: <prefix>:<copay>:<expiry>.
signature	string	No	No	Used to verify authenticity and integrity of the URL; see signature details. Must be the last parameter in the URL.

item parameter format

<3-letter prefix>:<copay in cents>:<expiration in Unix time (seconds)>

Component	Description
prefix	The first 3 letters of the prescription name.
copay	Cost in cents. Example: 500 = $5.00.
expiration	Unix timestamp for expiration (in seconds). Example: 1749225600.

signature details

DoorDash verifies the authenticity and integrity of signed URLs using RSA digital signatures with the SHA-256 hashing algorithm. Signatures must be generated using a standards-compliant RSA signature scheme, specifically PKCS#1 v1.5 as defined in RFC 8017, Section 9.2. This corresponds to the algorithm commonly named SHA256withRSA or RSA-SHA256 in most programming languages and cryptography libraries.

The merchant should follow these steps to generate a valid signature:

1. Generate an RSA public/private key pair (X.509/PKCS#8) and provide DoorDash with the public key in PEM format.
2. Build the string to be signed by taking the unsigned URL (i.e. without a signature parameter) and extract the substring beginning with the <merchant_tag> and continuing through the last non-signature parameter (do not include the scheme, host, or leading slash).
3. Compute the SHA-256 digest of the string exactly as it appears, preserving its exact characters, punctuation, and encoding.
4. Generate a digital signature with their private key using RSASSA-PKCS1-v1_5 with SHA-256. The signing library will automatically wrap the hash in the required ASN.1 DigestInfo structure and apply PKCS #1 v1.5 padding. The result is a binary signature value.
5. Encode the binary signature as a Base64 string.
6. Append the signature query parameter to the end of the unsigned URL, with the Base64-encoded signature as its value. This produces the final signed URL.

For a detailed walkthrough of this process, see How the signature was generated in the first example.

Example #1 - single item with signature

The following deeplink will be used for this example.

https://www.doordash.com/rx/abc?store_id=123&item=PRO:500:1749225600
&signature=LxJ4yLpA0kRWDk6DASS9cg5C2yCezGmxROEsj+5IaaVO1qIb2HdEmcKTz
XbTgV3Pxp0N9MvmRBpS9Dx8wuFJVcGp9pQlUBfsFsyS8OtvqQQ1zGkGZiWipKSmAigsg
pLYJrn4Y4EzG18u/7ff1duEySdcJTB0QB6tHtipAe2HpUON5Xto8PnXtpBp+7BnsTpzq
k+c9vhnrt702QvlfEGCTbePmvOI5FD75jKvMK/SwhAdcwxnTkxuZku/2I9wQyWCC9mBe
EhZ90ugIy76bchO5VqLPR2oPugTQfJx0XWr0K6loVndu78DtA1DBXRfyGBaHde7udBDM
zV0G+uU7MFhEA==

Note: Line breaks are shown above for readability only. In production, the deeplink must be a single uninterrupted URL.

The deeplink contains the following information:

Parameter	Value	Explanation
merchant_tag	abc
store_id	123
item	PRO:500:1749225600	This item corresponds to a prescription beginning with PRO, has a $5.00 copay, and expires at Unix timestamp 1749225600 (which is June 6, 2025, 12:00 PM ET)
signature	LxJ4yLpA0kRWDk6DASS9cg5C2yCezGmxROEsj+5IaaVO1qIb2HdEmcKTzXbTgV3P xp0N9MvmRBpS9Dx8wuFJVcGp9pQlUBfsFsyS8OtvqQQ1zGkGZiWipKSmAigsgpLY Jrn4Y4EzG18u/7ff1duEySdcJTB0QB6tHtipAe2HpUON5Xto8PnXtpBp+7BnsTpz qk+c9vhnrt702QvlfEGCTbePmvOI5FD75jKvMK/SwhAdcwxnTkxuZku/2I9wQyWC C9mBeEhZ90ugIy76bchO5VqLPR2oPugTQfJx0XWr0K6loVndu78DtA1DBXRfyGBa Hde7udBDMzV0G+uU7MFhEA==	See How the signature was generated for an explanation.

How the signature was generated

For the purposes of this example, we will use the following key pair.

Public Key

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiVkjeAuoqZTVcAl6lKWF
j912B+DeXneq6wCGnwl2PUBt9+tVE5vkOUIjolMe1ac2r+jSrh8p2YkcMgl5EyVP
kHxeiCWqVblm0dP0VKnw/T/IDWE7o4vhdCSaaWUmfng3ZDUyzt3kaC4lXBCYsy1i
MVD0AeAg52fEDZkI+7x5i2x7rs6XO6yGwzPlKBiMJ1l5os09gmLfIoLlGsUH0ZLK
iq1D2ieCVVd/qemQ+vUW78BVFo9dRif79LOTC3SZksTLnQ2MlUDXM1jQOcqngOhI
l76RkQn2xk6kSkODz0CEdzWCxOibxUTQPdoNqXAegOOA9FqoPEsNIRwBKYBqYnhn
CwIDAQAB
-----END PUBLIC KEY-----

Private Key

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCJWSN4C6iplNVw
CXqUpYWP3XYH4N5ed6rrAIafCXY9QG3361UTm+Q5QiOiUx7Vpzav6NKuHynZiRwy
CXkTJU+QfF6IJapVuWbR0/RUqfD9P8gNYTuji+F0JJppZSZ+eDdkNTLO3eRoLiVc
EJizLWIxUPQB4CDnZ8QNmQj7vHmLbHuuzpc7rIbDM+UoGIwnWXmizT2CYt8iguUa
xQfRksqKrUPaJ4JVV3+p6ZD69RbvwFUWj11GJ/v0s5MLdJmSxMudDYyVQNczWNA5
yqeA6EiXvpGRCfbGTqRKQ4PPQIR3NYLE6JvFRNA92g2pcB6A44D0Wqg8Sw0hHAEp
gGpieGcLAgMBAAECggEAOSNcHhS7ldDU+kb3N9+kMLVw5NYnrCUcdadCWecVyWWE
Wh8MxZuU1j0tldn+eeOWXJf/DXDpeBYSJL7MH6rl7rXOndUNh5wZqjEC9DW+i5x9
HRPWO7N1l1ui4TWzTem1IXsAKA8ndi+8WxCMdf3rW5jR6fXTunDwnreLhS5jYhyi
vXs3xyKP27E+TN1YX93oKIHipPxBHRid1SdjzjdTpFyxKMftTdr1pm1Jsg6UaI/v
mfFhwRlQGwecuBSGhrEnaRTiR/eJV1fbFkNsD+9KU7xSA48tN/5LjoHyuN1Q1SsL
dYsaOkkEiSE5u/3WkkhwhFHroNckGSVcfbFvypn0AQKBgQDMeUEKytgAYag6DqoO
ZsjmW/yRxzRAlIeaZ3qBzX5bVSipQyLIvP2Z0fkaKhodGmBMFyZ01zI8ZrmneDma
m5nqIdzlfsQvzC0zGyqucDJZT7q1mh2GZlBfs8WOjsNvXKpFAGZs1rd9cgCJpmpM
x5ZnoUnaKPPs4wCmGuTalShjbQKBgQCr9ZJ0+2ZWUoMC2qyjozXCFvI3/GTycrKg
NHGmkHHc67/lDhG8/wi893YFi4T7Hlkyq5HP7ABnU3ZkXeKrx8V9ep+4PoHmXKSH
p1o9/dMiVSxeXpMKv7whnPm9ac2EZ4C4DZx5/6X5FgL0HPE2h7ulOTPPZthIDVeM
AUGYQJnxVwKBgAXKaU0k8XkRSvJZ9/bwckAT2tNGEPTDQBPfWljSuQFdKAmjHRkS
QRxaFfPnvVWVqaR+A1jLv2B2iEt13CvEvFclHlxheqzf22fXHR5Tjxl4aJE8DBoC
S8RqEu42nNJKjYfmuv/aFNg4oktDqz8BaAEHUFAdWMscoqgRmumVz88BAoGAEcAW
ryaoSK7ZwTira3TUfsV5mVffX7uBPtJLDQOKDWD0fQN3x0eYMlFlCGt/faCDWpyl
P44/+GqAJRof5NWJSEuZIx6osAvOHAalZRLHcZrTKqaejRR/qgSXLvs18L3yZo1Z
IqrGCjFAesxmBdf7AbIm6/jUyJM//z6986ZvfZ8CgYAqCmPl5RW8mUja0Y8BgFaZ
pamBxjwWwiB1cGmJYTahUMnCvyLkrhvlJbCkDhW9WdwxEKilp47rCWkEerFOtdP8
7lwRjRuAwDp3jB4fnH14pQHbjoCKy+oAfp5cA27u9M+OmX1nvtvGGm5WLsJWaqg3
jOJlREyyYiA+b6fLmCtPZA==
-----END PRIVATE KEY-----

Process

1. The string to be signed is abc?store_id=123&item=PRO:500:1749225600.
2. The SHA-256 hash of this string is a9bcf63278a337644700c11a8262cb6238c9765af55044bb90a2affe0675cdf0 (shown for illustration only; standard signing APIs handle hashing internally).
3. Sign using your private key with a PKCS#1 v1.5-compliant RSA signature function. Most modern languages provide a standards-compliant implementation of this algorithm through their standard or widely used crypto libraries (for example, Java Signature.getInstance("SHA256withRSA"), Python private_key.sign(..., padding.PKCS1v15(), hashes.SHA256()), or Node.js crypto.createSign('RSA-SHA256')). This produces a binary signature value.
4. Base64-encode the binary signature value to produce the following string: LxJ4yLpA0kRWDk6DASS9cg5C2yCezGmxROEsj+5IaaVO1qIb2HdEmcKTzXbTgV3Pxp0N9MvmRBpS9Dx8wuFJVcGp9pQlUBfsFsyS8OtvqQQ1zGkGZiWipKSmAigsgpLYJrn4Y4EzG18u/7ff1duEySdcJTB0QB6tHtipAe2HpUON5Xto8PnXtpBp+7BnsTpzqk+c9vhnrt702QvlfEGCTbePmvOI5FD75jKvMK/SwhAdcwxnTkxuZku/2I9wQyWCC9mBeEhZ90ugIy76bchO5VqLPR2oPugTQfJx0XWr0K6loVndu78DtA1DBXRfyGBaHde7udBDMzV0G+uU7MFhEA==.
5. Use this value as the signature query param in the signed URL.
6. DoorDash will use the public key to verify the signature (using the same algorithm) to guarantee authenticity and integrity of the URL.

Example #2 - multiple items

The following deeplink will be used for this example.

https://www.doordash.com/rx/abc?store_id=123&item=PRO:500:1749225600
&item=MET:1295:1749398400

The deeplink contains the following information:

Parameter	Value	Explanation
merchant_tag	abc
store_id	123
item	PRO:500:1749225600	This item corresponds to a prescription beginning with PRO, has a $5.00 copay, and expires at Unix timestamp 1749225600 (which is June 6, 2025, 12:00 PM ET)
item	MET:1295:1749398400	This item corresponds to a prescription beginning with MET, has a $12.95 copay, and expires at Unix timestamp 1749398400 (which is June 8, 2025, 12:00 PM ET)