Zaptime Docs

Appearance

Webhooks

Zaptime can send outbound webhooks when reservations are prepared or made. Use a Webhook Integration and attach it to a Workflow step with the Send webhook action.

Configure

  • Create an Integration of type Webhook with:
    • name: any label
    • url: destination endpoint
    • method: GET, POST, PUT, PATCH, DELETE (default: POST)
    • headers: optional key-value map added to the request
    • secret: optional string to enable request signing
  • Create or edit a Workflow and set:
    • action: Send webhook
    • trigger: Reservation prepared or Reservation made
    • integration: select the Webhook Integration to use

Delivery

  • Headers
    • Accept: application/json
    • Custom headers you configure
    • When secret is set: X-Zaptime-Signature: HMAC-SHA256 over the payload (see Security)
  • Body/params
    • POST/PUT/PATCH/DELETE: JSON body
    • GET: query string parameters (signature is still computed over the JSON representation of the same payload data)

Payloads

Reservation prepared

json
{
  "resource": "reservation",
  "action": "prepared",
  "reservationUuid": "...",
  "eventTypeUuid": "...",
  "start": "2025-01-01T10:00:00+00:00",
  "end": "2025-01-01T10:30:00+00:00",
  "email": "guest@example.com",
  "name": "Ada Lovelace",
  "firstName": "Ada",
  "lastName": "Lovelace",
  "userEmail": "owner@example.com",
  "userName": "Account Owner",
  "meetLink": ""
}

Reservation made

json
{
  "resource": "reservation",
  "action": "made",
  "reservationUuid": "...",
  "eventTypeUuid": "...",
  "start": "2025-01-01T10:00:00+00:00",
  "end": "2025-01-01T10:30:00+00:00",
  "email": "guest@example.com",
  "name": "Ada Lovelace",
  "firstName": "Ada",
  "lastName": "Lovelace",
  "userEmail": "owner@example.com",
  "userName": "Account Owner",
  "meetLink": "https://meet.google.com/..."
}

Security (signature)

If you set a secret on the Webhook Integration, each request includes an HMAC-SHA256 signature in the X-Zaptime-Signature header. The signature is computed as:

  • HMAC_SHA256(secret, json_encode(payload)) for non-GET requests (use the raw body you received).
  • For GET requests, the signature is computed over the JSON representation of the same payload data sent as query parameters.

Example verification (Node.js/TypeScript, non-GET)

ts
import crypto from "crypto";

const body = await getRawBody(req); // raw bytes
const signature = req.header("X-Zaptime-Signature") ?? "";
const calc = crypto.createHmac("sha256", secret).update(body).digest("hex");
const valid = crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(calc));

Retries and timeouts

  • No automatic retries are performed; responses are not inspected.