Outbound Webhooks

Outbound webhooks let you receive real-time notifications in your own systems when things happen in Equaticket — a new order, a refund, an event selling out, or a ticket being scanned. Available on the Pro plan. Use webhooks to build custom integrations, sync data to your CRM, trigger automations in Zapier or Make, or power your own tooling.

Supported Events

order.created

Fires when a buyer completes checkout and payment is confirmed.

{
  "id": "evt_...",
  "type": "order.created",
  "created_at": "2026-04-14T10:00:00.000Z",
  "data": {
    "order_id": "uuid",
    "order_number": "EQ-1234",
    "buyer_email": "buyer@example.com",
    "buyer_name": "Jane Smith",
    "event_id": "uuid",
    "total_amount": 2500,
    "currency": "usd"
  }
}

total_amount is in the currency's smallest unit (cents for USD).

order.refunded

Fires when one or more tickets in an order are refunded.

{
  "id": "evt_...",
  "type": "order.refunded",
  "created_at": "2026-04-14T10:00:00.000Z",
  "data": {
    "order_id": "uuid",
    "event_id": "uuid",
    "status": "refunded",
    "currency": "usd"
  }
}

status reflects the order's new status after the refund: refunded (all tickets refunded) or partially_refunded (some tickets refunded).

event.sold_out

Fires once when the last available ticket on an event is sold.

{
  "id": "evt_...",
  "type": "event.sold_out",
  "created_at": "2026-04-14T10:00:00.000Z",
  "data": {
    "event_id": "uuid",
    "event_title": "Spring Workshop"
  }
}

ticket.checked_in

Fires each time a ticket is successfully scanned at check-in.

{
  "id": "evt_...",
  "type": "ticket.checked_in",
  "created_at": "2026-04-14T10:00:00.000Z",
  "data": {
    "ticket_id": "uuid",
    "ticket_code": "ABCD1234",
    "event_id": "uuid",
    "buyer_name": "Jane Smith",
    "buyer_email": "buyer@example.com",
    "attendee_name": "Jane Smith",
    "ticket_type": "General Admission",
    "checked_in_at": "2026-04-14T18:05:00.000Z",
    "check_in_method": "qr",
    "gate_id": null
  }
}

attendee_name may be null if the organizer did not collect a separate attendee name. gate_id is null if the event has no gates configured.

Setting Up a Webhook

Go to Dashboard > Settings > Developer > Webhooks
Click Add endpoint
Enter your endpoint URL — this must be a publicly accessible HTTPS URL that can receive POST requests
Select the event types you want to receive (you can select all four or choose specific ones)
Click Save

Your signing secret (whsec_...) is shown once at this point. Copy it immediately and store it securely — it cannot be retrieved again. If you lose it, you will need to rotate to a new secret.

You can create up to 5 webhook endpoints per organization.

Verifying Webhook Signatures

Every webhook request includes an X-Webhook-Signature header. Verify this header in your endpoint before processing the payload — it proves the request came from Equaticket and has not been tampered with.

The signature is an HMAC-SHA256 hash of the raw request body, signed with your endpoint's signing secret. The header value is a hex-encoded string.

Important: Verify the signature against the raw request body bytes, before any JSON parsing. If you parse the body first and then re-serialize it for verification, the signature will not match.

For production-ready signature verification code in Node.js, Python, PHP, and Ruby, see the Webhook Verification Guide.

Retries and Delivery

Equaticket expects your endpoint to return a 2xx status code. If your endpoint returns an error or times out (10-second limit), Equaticket retries with exponential backoff:

Attempt	Delay after previous attempt
2	2 minutes
3	4 minutes
4	8 minutes
5	16 minutes

After 5 failed attempts, the delivery is marked as permanently failed and no further retries occur. You can view the full delivery history for each endpoint from the endpoint's detail view in Dashboard > Settings > Developer > Webhooks.

Managing Your Signing Secret

Your signing secret is generated when you create an endpoint and shown once. If it is compromised or lost, only the org owner can rotate it — admins do not have access to secret rotation.

Go to Dashboard > Settings > Developer > Webhooks
Open the endpoint
Click Rotate secret
Copy the new secret immediately and update your endpoint's verification code

Rotating the secret invalidates the old one immediately. Any requests signed with the old secret will fail verification from that point forward.

Connecting to Zapier or Make

Zapier and Make both support receiving webhook data via a "Catch Hook." Set up a Catch Hook in your Zapier or Make scenario, use the generated URL as your Equaticket webhook endpoint, and your automation receives the event data in real time.

For step-by-step guides:

Zapier integration guide — coming soon
Make integration guide — coming soon

Frequently Asked Questions

Does my endpoint need to respond immediately?

Yes — return a 2xx status as quickly as possible, even before you finish processing the payload. If your processing takes time, return 200 immediately and handle the payload asynchronously. Slow responses increase the chance of a timeout triggering a retry.

Can I receive the same event twice?

Yes, in rare cases — network issues or retries can cause duplicate deliveries. Design your endpoint to be idempotent: use the order_id, ticket_id, or other unique identifier in the payload to detect and ignore duplicates.

Can I create webhooks via the API instead of the dashboard?

Yes — webhook endpoints can be created and managed via the Equaticket public API if you are on the Pro plan. API-created and dashboard-created endpoints share the same 5-endpoint limit per organization. See the API reference for details.

My endpoint is receiving events but signature verification is failing.

The most common cause is verifying a parsed or modified version of the body instead of the raw request body. The signature is computed from the raw bytes exactly as received. Make sure you are passing the raw body string to your HMAC function before any JSON parsing.

Still need help? Contact support.