Getting Started
Getting started using Zaui Webhooks and sending them to your endpoints.
Webhook notifications sent from a Zaui supplier system are sent over standard HTTPS POST request as JSON or XML.
Your server must respond with a HTTP 200 class status code immediately upon receipt. If your server does not indicate a successful response in a timely manner, or after 5 consecutive failed delivery attempts, your we
Within the Zaui supplier system, Webhook setup can be found in the Settings > Webhooks section of the Zaui system.
Event Overview
Zaui generates event data that we can send you to inform you of an event that occurred on the platform.
When an event occurs, Zaui generates a new Event Object. For example, if a new booking was created on the platform from the booking engine, or through an OTA channel, you receive a Booking Create event.
By registering webhook endpoints in your Zaui platform, you enable Zaui to automatically send Event Objects as part of the POST request to the registered webhook endpoint hosted by your application. After your webhook endpoint receives the Event, your app can run backend actions (for example adding booking revenue into your financial system, or other operational tasks associated with the event.
Event Object
The Event object we send to your webhook endpoint provides a snapshot of the object associated with the event on the platform.
See a full list of event types that we send your webhook.
How to Create a Webhook
On your Zaui system, login and navigate to Settings > Webhooks
In the left sidebar, click Create
Provide a name for the webhook, if its enabled, the Endpoint URL and type of webhook to be triggered (see a list of all available payload types)
Delivery type can be XML or JSON
Click Save
Create your Endpoint Handler
Setup your HTTPS endpoint function that can accept webhook requests with a POST method.
Setup your endpoint function so that it:
Handles
POST
requests with aJSON
payload which handles the inbound Event object.Quickly returns a successful status code (2xx) prior to any complex logic that could cause a timeout. For example, your must return a
200
response before updating your CRM system when a new customer purchases on your Zaui system.
Secure your endpoint
We highly recommend that you secure your integration by ensuring your handler verifies that all webhook requests are generated by Zaui. You will need to verify these manually.
Verify webhook signatures manually
The Zaui-Signature
header included in each signed event contains the timestamp and a signature that you must verify. The timestamp is prefixed by t=
, and the signature prefixed by v=
To create a manual verification you must complete the following steps:
Step 1: Extract the timestamp and signatures from the header
Split the header into corresponding timestamp (t) and signature (v). You can discard all other elements.
Step 2: Prepare the signed payload string
The signed payload string is created by concatenating:
The timestamp (as a string)
The character
.
The actual JSON payload (that is the request body)
Step 3: Determine the expected signature
The secret is available from within the webhook setup in your Zaui system.
Step 4: Compare the signatures
Compare the signature in the header to the expected signature. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.
To protect against timing attacks, use a constant-time-string comparison to compare the expected signature to the received signature.
Best practices for using webhooks
Review these best practices to make sure your webhooks remain secure and function well with your integration.
Quickly return a 2xx response
Your endpoint must quickly return a successful status code (2xx) prior to any complex logic that could cause a timeout.
Handle Duplicate Events
Only listen to event types your integration requires
Configure your webhook endpoints to receive only the types of events required by your integration. Listening for extra (or all events) puts undue strain on your server and we don't recommend it.
Handle events asynchronously
Configure your handler to process incoming events with an asynchronous queue. You might encounter scalability issues if you choose to process events synchronously.
Prevent replay attacks
For example, a default tolerance of 5 minutes between the timestamp and the current time could be used, your endpoint would capture the timestamp from the headers and verify the time stamp is within in the tolerance parameters.
Last updated
Was this helpful?