Docs
Webhooks
Webhooks
Receive real-time notifications for booking events.
GudCal supports webhooks to notify your systems when booking events occur. Each webhook delivery is signed with HMAC-SHA256 so you can verify it came from GudCal.
Supported Events
| Event | Trigger |
|---|---|
BOOKING_CREATED | A new booking is created by a guest |
BOOKING_CONFIRMED | A pending booking is confirmed by the host |
BOOKING_CANCELLED | A booking is cancelled (by host or guest) |
BOOKING_RESCHEDULED | A booking is moved to a new time |
Creating a Webhook
- Go to Dashboard → Settings → Webhooks
- Click Add Webhook
- Enter your endpoint URL (must be HTTPS in production)
- Select which events to subscribe to
- Copy the generated signing secret — you'll need it to verify deliveries
Payload Format
Webhook payloads are sent as POST requests with a JSON body:
{
"uid": "booking-uid-here",
"status": "CONFIRMED",
"guestName": "Jane Doe",
"guestEmail": "jane@example.com",
"startTime": "2025-03-15T14:00:00.000Z",
"endTime": "2025-03-15T14:30:00.000Z",
"eventType": "30-Minute Meeting",
"location": "Google Meet"
}Signature Verification
Every delivery includes these headers:
| Header | Description |
|---|---|
X-GudCal-Signature | HMAC-SHA256 hex digest of the request body |
X-GudCal-Event | The event type (e.g. BOOKING_CREATED) |
X-GudCal-Timestamp | ISO 8601 timestamp of the delivery |
Verify the signature in your endpoint:
import { createHmac } from "crypto";
function verifyWebhook(body, signature, secret) {
const expected = createHmac("sha256", secret)
.update(JSON.stringify(body))
.digest("hex");
return signature === expected;
}Delivery
- Webhooks are delivered with a 10-second timeout
- Deliveries are fire-and-forget — there are no automatic retries
- Multiple webhooks for the same event are delivered in parallel
- Failed deliveries do not block the booking operation