ETG API V3
B2B API
Booking
Order Status Webhook

Order Status Webhook

POST
ℹ️
This call is required if you don’t use the Order Booking Finish Status call.

To get a webhook with the booking process status:

  1. Provide the callback URL to the API support team.
  2. The API support team sets up the callback URL.
  3. Once the callback URL is set and the booking process is finished, the ETG API sends the webhook.
  4. Check if the webhook is received on your side.

The ETG listens for the following codes from your server and reacts accordingly:

  • 200 code—the webhook is successful and doesn’t need a retry.
  • 500 code—the ETG will retry sending for 7.5 minutes with the intervals:
    • 30 seconds.
    • 60 seconds.
    • 90 seconds.
    • 120 seconds.
    • 150 seconds.

Payload

partner_order_id String required

The unique partner booking ID.

ℹ️
  • The minimum length is 1 character.
  • The maximum length is 256 characters.
status String required

The booking finishing status.

ℹ️

  • The possible values:

    • completed—the booking finishing has ended with success.
    • failed—the booking finishing has ended with an error.

    To know the reason for the failure, use the Order Booking Finish Status call.

The payload example:

{
  "partner_order_id": "0b370500-5321-4046-92c5-5982f1a64fc6",
  "status": "completed"
}

Secure data

signature String required
The hexadecimal digits generated by the HMAC algorithm.
timestamp Int required

The date and time of creating a webhook token in the Unix Timestamp format.

ℹ️
  • The minimum date is January 1, 1970.
  • You can find it in the token signature when decoding.
token String required
The randomly generated string with the length of 50 characters.

The secure data example:

{
  "signature": {
    "signature": "7865d225dbee1b54909er153d193e0b57b707ebe81ff5b2e1b71ebaf749bec23",
    "timestamp": 1574146939,
    "token": "d3395025-1ee7-49a2-bd86-e4bd6b9908b2"
  }
}

Whole fields example 

{
  "data": {
    "partner_order_id": "0b370500-5321-4046-92c5-5982f1a64fc6",
    "status": "completed"
  },
  "signature": {
    "signature": "7865d225dbee1b54909er153d193e0b57b707ebe81ff5b2e1b71ebaf749bec23",
    "timestamp": 1574146939,
    "token": "d3395025-1ee7-49a2-bd86-e4bd6b9908b2"
  }
}

Signature verification

To verify the webhook issued by the ETG:

  1. Concatenate the timestamp and token values. The “token” means the one sent by the ETG in the webhook data.
  2. Encode the resulting string with the HMAC algorithm:
    1. Use your API Key token as a key.
    2. Use the SHA256 digest mode.
  3. Use the hexdigest() method to make a resulting string.
  4. Compare the resulting string to the signature.
  5. Optional. Cache the token locally and don’t honor any subsequent request with the same token. This will prevent replay attacks.
  6. Optional. Check that the timestamp is within the token lifetime.

Examples

Python 

import hashlib, hmac
def verify(api_key, token, timestamp, signature):
    hmac_digest = hmac.new(key=api_key,
                           msg='{}{}'.format(timestamp, token),
                           digestmod=hashlib.sha256).hexdigest()
    return hmac.compare_digest(unicode(signature), unicode(hmac_digest))

Ruby 

require 'openssl'
def verify(api_key, token, timestamp, signature)
  digest = OpenSSL::Digest::SHA256.new
  data = [timestamp, token].join
  signature == OpenSSL::HMAC.hexdigest(digest, api_key, data)
end

PHP 

function verify($apiKey, $token, $timestamp, $signature)
{
  // check if the timestamp is fresh
  if (abs(time() - $timestamp) > 15) {
    return false;
  }
  // returns true if signature is valid
  return hash_hmac('sha256', $timestamp . $token, $apiKey) === $signature;
}

Node.js 

const crypto = require('crypto')
const verify = ({ apiKey, timestamp, token, signature }) => {
    const encodedToken = crypto
        .createHmac('sha256', apiKey)
        .update(timestamp.toString().concat(token))
        .digest('hex')
    return (encodedToken === signature)
}
Order Booking Finish Status