Webhooks
Receive real-time notifications for booking and catalog events
Webhooks send HTTP POST requests to your server when events happen in CR Bee. Use them to sync bookings, update external systems, or clear caches.
Setting Up Webhooks
Via Admin Dashboard
- Go to Settings > Developer > Webhooks
- Click Add Webhook
- Enter your endpoint URL (must be HTTPS)
- Select the events you want to receive
- Save and copy the webhook secret
Via API (Auto-Register)
The WordPress plugin uses this endpoint for automatic webhook setup:
curl -X POST \
-H "Authorization: Bearer crb_live_..." \
-H "Content-Type: application/json" \
-d '{"url": "https://yoursite.com/webhook", "events": ["booking.created", "catalog.updated"]}' \
https://your-slug.crbeeapp.com/api/v1/webhooks/auto-registerThis endpoint is idempotent — if the URL is already registered, it returns the existing webhook.
Event Types
| Event | Triggered When |
|---|---|
booking.created | A new booking is created |
booking.status_changed | Booking status changes (e.g., confirmed → picked up) |
booking.cancelled | A booking is cancelled |
booking.payment_updated | Payment status changes |
booking.message_received | Customer sends a message via Manage Booking |
catalog.updated | Vehicles, locations, categories, addons, or features are modified |
Payload Format
{
"event": "booking.created",
"timestamp": "2026-05-09T14:30:00.000Z",
"data": {
"bookingRef": "REN-2026-00001",
"customerName": "John Doe",
"customerEmail": "john@example.com",
"vehicleName": "Toyota Corolla",
"pickupDate": "2026-05-15",
"dropoffDate": "2026-05-18",
"grandTotal": 150.00,
"currency": "EUR"
}
}Catalog Updated Payload
{
"event": "catalog.updated",
"timestamp": "2026-05-09T14:30:00.000Z",
"data": {
"resource": "cars"
}
}The resource field indicates what changed: cars, locations, categories, addons, features, or all.
Verifying Webhook Signatures
Every webhook request includes an HMAC-SHA256 signature in the X-CrBee-Signature header. Verify it to ensure the request is genuine.
Node.js
const crypto = require('crypto');
function verifyWebhook(body, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(body)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
// In your webhook handler:
app.post('/webhook', (req, res) => {
const signature = req.headers['x-crbee-signature'];
const isValid = verifyWebhook(req.rawBody, signature, WEBHOOK_SECRET);
if (!isValid) {
return res.status(401).json({ error: 'Invalid signature' });
}
const event = JSON.parse(req.body);
// Handle event...
res.json({ received: true });
});PHP
function verify_webhook($body, $signature, $secret) {
$expected = hash_hmac('sha256', $body, $secret);
return hash_equals($expected, $signature);
}
// In your webhook handler:
$body = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_CRBEE_SIGNATURE'] ?? '';
if (!verify_webhook($body, $signature, $secret)) {
http_response_code(401);
exit;
}
$event = json_decode($body, true);
// Handle event...Headers
| Header | Description |
|---|---|
X-CrBee-Signature | HMAC-SHA256 hex signature |
X-CrBee-Event | Event type (e.g., booking.created) |
Content-Type | application/json |
Delivery Behavior
- Timeout: 10 seconds per request
- Concurrency: Up to 5 concurrent webhook deliveries
- Retries: Not built-in — webhooks are fire-and-forget. Implement idempotent processing and your own retry logic if needed
- Order: Events may arrive out of order during high volume