# Webhook | Property | Type | Description | | ------------ | ------ | -------------------------------------------------------------------------------------------------------------------------------- | | `url` | string | The URL of the webhook endpoint. | | `secret` | string | The endpoint’s secret used to generate webhook signatures. | | `events` | array | The list of events to enable for this endpoint. Allowed values: `["meetingScheduled", "meetingCancelled", "meetingRescheduled"]` | | `created_at` | string | The ISO-8601 time at which the object was created. | | `uuid` | string | Unique identifier (UUID v4) of the object. | ## The example webhook object ```javascript { "events":[ "meetingRescheduled", "meetingCancelled", "meetingScheduled" ], "url":"https://example.com/webhook", "secret":null, "created_at":"2021-05-24T11:04:11+00:00", "uuid":"2ba9ee0b-e62a-43bd-aed0-31b26056ecdc" } ``` ## The example request that's being made when the meeting is scheduled **Request Method:** POST **Request headers:** | **Header** | Description | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `webhook-signature` | Harmonizely can optionally sign the webhook events it sends to your endpoints by including a signature in each event’s Webhook-Signature header. This allows you to verify that the events were sent by Harmonizely, not by a third party | | `user-agent` | The user agent. Always set to `Harmonizely`. | **Request payload**: ```javascript { "data": { "rescheduling": null, "pretty_canceled_at": null, "pretty_scheduled_at": "Wednesday, June 23, 2021 09:30", "pretty_scheduled_at_in_invitee_timezone": "Wednesday, June 23, 2021 at 9:30 AM", "pretty_canceled_at_in_invitee_timezone": null, "event_type": { "name": "Demo Call", "location": null, "location_label": null, "description": null, "duration": 15, "slug": "demo-call", "is_secret": false, "confirmation_page_type": "internal", "confirmation_page_url": null, "notification_type": "email", "pass_details_to_redirected_page": false, "type": "regular", "position": 0 }, "scheduled_at": "2021-06-23T07:30:00+00:00", "end_date": "2021-06-23T07:45:00+00:00", "invitee": { "first_name": "Bernice", "email": "bernice@example.com", "full_name": "Bernice J. Cervantez", "timezone": "Europe/Warsaw", "phone_number": "+48123456789", "locale": "en" }, "state": "new", "canceled_at": null, "uuid": "601f15fb-c7e8-4988-863e-78a6ac4446df", "notes": null, "details": null, "answers": [ { "question_label": "Details", "value": "My extra details", "question_type": "textarea" }, { "question_label": "Agree to terms?", "value": 1, "question_type": "checkbox" } ], "location": "https://zoom.us/j/xxxxxx", "cancellation": null, "payment": null }, "event": "meetingScheduled", "uuid": "ccc3d816-c44d-4a38-9eb1-e1c7d05538dc" } ``` ### Verifying signature manually Harmonizely generates webhook signatures using a hash-based message authentication code ([HMAC](https://en.wikipedia.org/wiki/Hash-based_message_authentication_code)) with [SHA-256](https://en.wikipedia.org/wiki/SHA-2) which is then base64 encoded. 1. **Determine the expected signature** Compute an HMAC with the SHA256 hash function and encode it using base64. Use the webhook’s signing **secret** as the key, and use the **request's payload** string as the message. Example in PHP: ```php $signature = base64_encode(hash_hmac('sha256', $payload, $secret, true)); ``` 2\. **Compare the signatures** Compare the signature in the `webhook-signature` header to the expected signature.