Your endpoint must be an HTTPS webhook address with a valid SSL certificate that can correctly process event notifications as described below. You must also implement verification to make sure webhook requests originate from Bókun.

Payloads contain a JSON object with the data for the webhook event. The contents and structure of each payload varies depending on the subscribed event.

After you register a webhook URL, Bókun issues an HTTP POST request to the URL specified every time that event occurs. The request's POST parameters contain JSON data relevant to the event that triggered the request.

Make sure your server is correctly configured to support HTTPS with a valid SSL certificate.

Your webhook acknowledges that it received data by sending a 200 OK response. Any response outside of the 200 range, including 3XX HTTP redirection codes, indicates that you did not receive the webhook. Bókun does not follow redirects for webhook notifications and considers them to be an error response.

Bókun has implemented a five second timeout period and a retry period for subscriptions. Bókun waits five seconds for a response to each request to a webhook. If there is no response, or an error is returned, then Bókun retries the connection a few times. If the retries all fail, then the webhook subscription is automatically deleted. A warning that the subscription will be deleted is sent to the app's emergency developer email address.

To avoid timeouts and errors, consider deferring app processing until after the webhook response has been successfully sent.

Webhooks for your App are verified by calculating a digital signature. Each webhook request includes a base64-encoded X-Bokun-HMAC header, which is generated using the app's secret key along with the data sent in the request.

To verify that the request came from Bókun, compute the HMAC digest according to the following algorithm and compare it to the value in the X-Bokun-HMAC header. If they match, then you can be sure that the webhook was sent from Bókun.