Webhooks

Outgoing webhook

Slotsy POSTs signed JSON to your URL on every booking event. Verify with HMAC-SHA256 using the shared secret.

Event types

• booking.created · new confirmed booking
• booking.cancelled · cancelled by owner or attendee
• booking.rescheduled · moved to a different slot
• booking.no_show · marked no-show in dashboard
• booking.paid · Stripe charge succeeded
• webhook.test · test ping from this page

Verifying the signature

// Node example
import crypto from "node:crypto";
const sig = req.headers["x-slotsy-signature"]; // "sha256="
const expected = "sha256=" + crypto.createHmac("sha256", SECRET).update(rawBody).digest("hex");
const ok = crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected));