Webhook Security - NowBookIt API

Verifying Inbound Webhooks (Outbound direction)

When NowBookIt sends events to your callback URL, validate that the request genuinely came from NowBookIt before processing it.

NowBookIt’s current outbound webhook security model uses a shared secret approach. Contact your partner manager for your webhook secret.

Signing Requests to NowBookIt (Inbound direction)

When your system calls NowBookIt’s partner inbound endpoints, include an HMAC signature in the request header.

Computing the Signature

const crypto = require('crypto');

function computeHmac(secret, body, url) {
  const message = body + url;
  return crypto
    .createHmac('sha256', secret)
    .update(message)
    .digest('hex');
}

// Add to request headers:
const signature = computeHmac(process.env.NBI_HMAC_SECRET, requestBody, requestUrl);
headers['X-Partner-Signature'] = signature;

Onboarding Checklist

Before go-live, confirm with your NowBookIt onboarding contact:

Item	Description
Signature header name	The header your system sends (e.g. `X-Partner-Signature`)
Shared HMAC secret	Used to sign requests
Partner identifier	Your `partnerName` value for URL paths
Location mapping	How your `locationId` values map to NowBookIt venues

Partner Inbound Webhooks Overview

⌘I

​Verifying Inbound Webhooks (Outbound direction)

​Signing Requests to NowBookIt (Inbound direction)

​Computing the Signature

​Onboarding Checklist

Verifying Inbound Webhooks (Outbound direction)

Signing Requests to NowBookIt (Inbound direction)

Computing the Signature

Onboarding Checklist