Order Status Webhook
POST
ℹ️
This call is required if you don’t use the Order Booking Finish Status call.
To get the booking processing status:
- Provide a callback URL to the API Support team.
- Make this request.
The ETG listens for the following codes from your server and reacts accordingly:
- 200 code—the webhook is successful and doesn’t need a retry.
- 500 code—the ETG will retry sending for 7.5 minutes with the intervals:
- 30 seconds.
- 60 seconds.
- 90 seconds.
- 120 seconds.
- 150 seconds.
Payload
Identifier of the booking (at the partner) made by the partner.
ℹ️
- The minimum length is
1
character. - The maximum length is
256
characters.
The reservation status.
ℹ️
If you want to know the failure reason, use the Order Booking Finish Status call.
Payload example
{
"partner_order_id": "qwerty123",
"status": "completed"
}
Secure data
The date and time of creating a webhook token in the Unix Timestamp format. You can find it in the token signature when decoding. The minimum date is January 1, 1970.
Secure data example
{
"signature": {
"signature": "7865d225dbee1b54909er153d193e0b57b707ebe81ff5b2e1b71ebaf749bec23",
"timestamp": 1574146939,
"token": "d3395025-1ee7-49a2-bd86-e4bd6b9908b2"
}
}
Whole fields example
{
"data": {
"partner_order_id": "qwerty123",
"status": "completed"
},
"signature": {
"signature": "7865d225dbee1b54909er153d193e0b57b707ebe81ff5b2e1b71ebaf749bec23",
"timestamp": 1574146939,
"token": "d3395025-1ee7-49a2-bd86-e4bd6b9908b2"
}
}
Signature verification
To verify the webhook issued by the ETG:
-
Concatenate the timestamp and token values. The “token” means the one sent by the ETG in the webhook data.
-
Encode the resulting string with the HMAC algorithm:
- Use your API Key token as a key.
- Use the SHA256 digest mode.
-
Use the
hexdigest()
method to make a resulting string. -
Compare the resulting string to the signature.
-
Optional. Cache the token locally and don’t honor any subsequent request with the same token. This will prevent replay attacks.
-
Optional. Check that the timestamp is within the token lifetime.
Examples
Python
import hashlib, hmac
def verify(api_key, token, timestamp, signature):
hmac_digest = hmac.new(key=api_key,
msg='{}{}'.format(timestamp, token),
digestmod=hashlib.sha256).hexdigest()
return hmac.compare_digest(unicode(signature), unicode(hmac_digest))
Ruby
require 'openssl'
def verify(api_key, token, timestamp, signature)
digest = OpenSSL::Digest::SHA256.new
data = [timestamp, token].join
signature == OpenSSL::HMAC.hexdigest(digest, api_key, data)
end
PHP
function verify($apiKey, $token, $timestamp, $signature)
{
// check if the timestamp is fresh
if (abs(time() - $timestamp) > 15) {
return false;
}
// returns true if signature is valid
return hash_hmac('sha256', $timestamp . $token, $apiKey) === $signature;
}
Node.js
const crypto = require('crypto')
const verify = ({ apiKey, timestamp, token, signature }) => {
const encodedToken = crypto
.createHmac('sha256', apiKey)
.update(timestamp.concat(token))
.digest('hex')
return (encodedToken === signature)
}