Order Status Webhook

Order Status Webhook

POST
ℹ️
This call is required if you don’t use the Order Booking Finish Status call.

To get the booking processing status:

  1. Provide a callback URL to the API Support team.
  2. Make this request.

The ETG listens for the following codes from your server and reacts accordingly:

  • 200 code—the webhook is successful and doesn’t need a retry.
  • 500 code—the ETG will retry sending for 7.5 minutes with the intervals:
    • 30 seconds.
    • 60 seconds.
    • 90 seconds.
    • 120 seconds.
    • 150 seconds.

Payload

partner_order_id String required

Identifier of the booking (at the partner) made by the partner.

ℹ️
  • The minimum length is 1 character.
  • The maximum length is 256 characters.
status String required

The reservation status.

ℹ️
If you want to know the failure reason, use the Order Booking Finish Status call.

Payload example

{
  "partner_order_id": "qwerty123",
  "status": "completed"
}

Secure data

signature String required
The hexadecimal digits generated by the HMAC algorithm.
timestamp Int required
The date and time of creating a webhook token in the Unix Timestamp format. You can find it in the token signature when decoding. The minimum date is January 1, 1970.
token String required
The randomly generated string with a length of 50.

Secure data example

{
  "signature": {
    "signature": "7865d225dbee1b54909er153d193e0b57b707ebe81ff5b2e1b71ebaf749bec23",
    "timestamp": 1574146939,
    "token": "d3395025-1ee7-49a2-bd86-e4bd6b9908b2"
  }
}

Whole fields example

{
  "data": {
    "partner_order_id": "qwerty123",
    "status": "completed"
  },
  "signature": {
    "signature": "7865d225dbee1b54909er153d193e0b57b707ebe81ff5b2e1b71ebaf749bec23",
    "timestamp": 1574146939,
    "token": "d3395025-1ee7-49a2-bd86-e4bd6b9908b2"
  }
}

Signature verification

To verify the webhook issued by the ETG:

  1. Concatenate the timestamp and token values. The “token” means the one sent by the ETG in the webhook data.

  2. Encode the resulting string with the HMAC algorithm:

    1. Use your API Key token as a key.
    2. Use the SHA256 digest mode.
  3. Use the hexdigest() method to make a resulting string.

  4. Compare the resulting string to the signature.

  5. Optional. Cache the token locally and don’t honor any subsequent request with the same token. This will prevent replay attacks.

  6. Optional. Check that the timestamp is within the token lifetime.

Examples

Python

import hashlib, hmac
def verify(api_key, token, timestamp, signature):
    hmac_digest = hmac.new(key=api_key,
                           msg='{}{}'.format(timestamp, token),
                           digestmod=hashlib.sha256).hexdigest()
    return hmac.compare_digest(unicode(signature), unicode(hmac_digest))

Ruby

require 'openssl'
def verify(api_key, token, timestamp, signature)
  digest = OpenSSL::Digest::SHA256.new
  data = [timestamp, token].join
  signature == OpenSSL::HMAC.hexdigest(digest, api_key, data)
end

PHP

function verify($apiKey, $token, $timestamp, $signature)
{
  // check if the timestamp is fresh
  if (abs(time() - $timestamp) > 15) {
    return false;
  }
  // returns true if signature is valid
  return hash_hmac('sha256', $timestamp . $token, $apiKey) === $signature;
}

Node.js

const crypto = require('crypto')
const verify = ({ apiKey, timestamp, token, signature }) => {
    const encodedToken = crypto
        .createHmac('sha256', apiKey)
        .update(timestamp.concat(token))
        .digest('hex')
    return (encodedToken === signature)
}