API reference

Webhooks

Subscribe your HTTPS endpoint to booking events. Payloads are signed so you can verify they came from your BaaS deployment.

Overview

Manage subscriptions in the dashboard under Settings → Webhooks, or via /api/webhooks/subscriptions. When an event fires, we POST a JSON body to your URL with the headers below.

Outgoing request headers

X-Booking-Event — event name (e.g. booking.confirmed).
X-Booking-Signature — HMAC-SHA256 hex digest of the raw body using your webhook secret.
X-Booking-Timestamp — millisecond timestamp string.
Content-Type: application/json

Verifying signatures

Compute HMAC-SHA256 over the raw request body string with the secret returned when you created the subscription (shown only once). Compare with X-Booking-Signature using a constant-time compare.

Node.js (conceptual)

import crypto from 'crypto'

function verify(rawBody, signature, secret) {
  const expected = crypto.createHmac('sha256', secret).update(rawBody).digest('hex')
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))
}

Event types

Supported values when creating a subscription (invalid types are rejected):

Event	When it fires
booking.created	New booking (e.g. pending).
booking.confirmed	Booking confirmed.
booking.paid	Payment succeeded.
booking.cancelled	Booking cancelled.
booking.refunded	Refund processed.

Secret storage

The webhook signing secret is returned only when you create the subscription. Store it in your secrets manager; it cannot be retrieved again from the API.

Mollie webhooks (incoming)

Mollie sends payment events to POST /api/webhooks/mollie on this deployment. Configure the URL in the Mollie Dashboard; do not confuse this with your own outbound booking webhooks.