ETG API V3
[Beta] Sandbox
Booking
Receive booking status webhook

Receive booking status webhook

#sandbox

🆕
The Sandbox environment is available exclusively to new partners who begin their integration in Q4 2025.
ℹ️
This call is required if you don’t use the Check booking process call.

The call retrieves a webhook for the booking process status via the POST method.

Sandbox limitations

No changes.

Getting webhook scenario

  1. Provide the callback URL to the API support team.
  2. The API support team sets up the callback URL.
  3. Once the callback URL is set and the booking process is finished, the ETG API sends the webhook.
  4. Check if the webhook is received on your side and send the appropriate response.
ℹ️

At the last second, request this call for the last time and receive the status:

  • completed — the booking finishing will end with success.
  • failed — the booking finishing will end with an error.

Your server responses

The ETG listens to the following codes from your server and reacts accordingly:

  • Code 200 — the webhook is received successfully and doesn’t need a retry.
  • Code 500 — the ETG needs to retry sending for 7 minutes 45 seconds with the intervals:
    • 45 seconds.
    • 120 seconds.
    • 120 seconds.
    • 180 seconds.

Payload

The payload example:

{
  "partner_order_id": "ftJbebKq6O",
  "status": "completed"
}

Secure data

The secure data example:

{
  "signature": {
    "signature": "03928f3c36a598e939e1ff8c80633194fd897b6f316256ce5493f13e868c11eb",
    "timestamp": 1759800758,
    "token": "1985d764-7b34-4fc5-ab82-0ab0659950a2"
  }
}

Whole fields example 

{
  "data": {
    "partner_order_id": "ftJbebKq6O",
    "status": "completed"
  },
  "signature": {
    "signature": "03928f3c36a598e939e1ff8c80633194fd897b6f316256ce5493f13e868c11eb",
    "timestamp": 1759800758,
    "token": "1985d764-7b34-4fc5-ab82-0ab0659950a2"
  }
}

Signature verification

To verify the webhook issued by the ETG:

  1. Concatenate the timestamp and token values. The “token” means the one sent by the ETG in the webhook data.
  2. Encode the resulting string with the HMAC algorithm:
    1. Use your API Key token as a key.
    2. Use the SHA256 digest mode.
  3. Use the hexdigest() method to make a resulting string.
  4. Compare the resulting string to the signature.
  5. Optional. Cache the token locally and don’t honor any subsequent request with the same token. This will prevent replay attacks.
  6. Optional. Check that the timestamp is within the token lifetime.

Examples

Python 

import hashlib, hmac
def verify(api_key, token, timestamp, signature):
    hmac_digest = hmac.new(key=api_key,
                           msg='{}{}'.format(timestamp, token),
                           digestmod=hashlib.sha256).hexdigest()
    return hmac.compare_digest(unicode(signature), unicode(hmac_digest))

Ruby 

require 'openssl'
def verify(api_key, token, timestamp, signature)
  digest = OpenSSL::Digest::SHA256.new
  data = [timestamp, token].join
  signature == OpenSSL::HMAC.hexdigest(digest, api_key, data)
end

PHP 

function verify($apiKey, $token, $timestamp, $signature)
{
  // check if the timestamp is fresh
  if (abs(time() - $timestamp) > 15) {
    return false;
  }
  // returns true if signature is valid
  return hash_hmac('sha256', $timestamp . $token, $apiKey) === $signature;
}

Node.js 

const crypto = require('crypto')
const verify = ({ apiKey, timestamp, token, signature }) => {
    const encodedToken = crypto
        .createHmac('sha256', apiKey)
        .update(timestamp.toString().concat(token))
        .digest('hex')
    return (encodedToken === signature)
}