Booking confirmed echo
Emitted immediately after a successful POST /bookings. Useful for asynchronous
bank architectures that want to confirm the booking in the background.
Headers: X-SafarApi-Signature (HMAC SHA256 of the body with the webhook’s
signing_secret), X-SafarApi-Event-Id (idempotent UUID), X-SafarApi-Event-Type.
Authorizations
API key authentication. Issued by the Safariat admin or via the partner portal. The secret is shown only once at generation.
Production sk_live_* keys must additionally sign every write request
(POST/PUT/DELETE) with the X-Timestamp and X-Signature headers.
Sandbox sk_test_* keys are exempt from request signing: X-Signature and
X-Timestamp are not required for writes in the sandbox (so the developer-portal
"Try it" playground works end to end). The Idempotency-Key header remains
required on writes in both environments.
Body
Idempotent event ID (to deduplicate on the bank side).
booking.confirmed, booking.cancelled, booking.completed, settlement.issued, adventure.unavailable, review.moderated true if the event originates from an sk_test_* key or from
POST /webhooks/{id}/test. The bank must ignore / label these events.
Payload specific to the event type. Stable schema in v1 but may gain new fields (never removed).
Response
The bank acknowledges receipt (any 2xx response closes the delivery).