Register a webhook endpoint
Configures an HTTPS endpoint that Safariat will call to deliver the selected events.
The response contains the signing_secret to use on the bank side to verify the
X-SafarApi-Signature signature of each delivery. The secret is shown only once.
Retries on failure: exponential at 5 min, 15 min, 1 h, 6 h, 24 h. Beyond that, the event is moved to the dead-letter queue and is visible in the partner portal.
Authorizations
API key authentication. Issued by the Safariat admin or via the partner portal. The secret is shown only once at generation.
Production sk_live_* keys must additionally sign every write request
(POST/PUT/DELETE) with the X-Timestamp and X-Signature headers.
Sandbox sk_test_* keys are exempt from request signing: X-Signature and
X-Timestamp are not required for writes in the sandbox (so the developer-portal
"Try it" playground works end to end). The Idempotency-Key header remains
required on writes in both environments.
Headers
Opaque, client-generated string unique per logical operation (a UUID v4 is
recommended but any non-blank value up to 255 chars is accepted). Same key +
same body = the cached response is returned with the Idempotent-Replayed: true
header. Same key + different body = 409 Conflict. Retained for 24 h.
255Unix timestamp in seconds at the time the request is issued. Validity window
±5 minutes — beyond that the request is rejected. Required for production
sk_live_* keys only; not required for sandbox sk_test_* keys.
hex(HMAC_SHA256(secret, "{X-Timestamp}\n{METHOD}\n{path}\n{body}")).
The path includes the query string. The body is the exact JSON representation
sent — any reformatting invalidates the signature. Required for production
sk_live_* keys only; not required for sandbox sk_test_* keys.
^[a-f0-9]{64}$Body
The bank's HTTPS endpoint. HTTP is rejected.
^https://1booking.confirmed, booking.cancelled, booking.completed, settlement.issued, adventure.unavailable, review.moderated 200Response
Webhook created, signing_secret returned in clear (once only)
booking.confirmed, booking.cancelled, booking.completed, settlement.issued, adventure.unavailable, review.moderated ACTIVE, DISABLED HMAC secret to verify X-SafarApi-Signature on deliveries.
Shown only once, never displayable again.
Last HTTP status received from the bank.