API
Webhooks
Subscribe → verify HMAC → respond 2xx in 10s. Retry behaviour and event catalog.
Provider portal → /provider/webhooks. Pick events, paste the URL we should POST to, save the signing secret. Delivery POSTs JSON with two interesting headers:
- Orkestr-Signature: t=<unix>,v1=<hmac-sha256-hex>
- Orkestr-Event: <event-key> (e.g. booking.created)
Verification
import crypto from 'node:crypto';
function verify(rawBody, header, secret) {
const [, t, sig] = header.match(/t=(\d+),v1=([a-f0-9]+)/);
const expect = crypto.createHmac('sha256', secret)
.update(`${t}.${rawBody}`)
.digest('hex');
return crypto.timingSafeEqual(Buffer.from(expect), Buffer.from(sig));
}Retry behaviour
5 attempts with exponential backoff (~30 minutes total). After the last attempt the event lands in /provider/webhooks → Delivery history. Respond 2xx within 10 seconds; non-2xx + timeout both count as failure.
Event catalog
| Event | Fires when |
|---|---|
| booking.created | Customer creates a booking |
| booking.confirmed | Payment succeeds |
| booking.cancelled | Customer or provider cancels |
| booking.refunded | Refund posted |
| booking.completed | End time passes |
| offering.created | New offering |
| offering.updated | Offering edit |
| review.created | Customer leaves a review |
| dispute.opened | New dispute |
| tenant.kyb_verified | KYB approved |
| webhook.test | Manual test from /provider/webhooks |