API | Webhooks

Tripleseat provides a comprehensive Webhook system that allows external applications to receive real-time notifications when specific events occur within the system.

Webhook endpoints are configurable programmatically via API and support multiple trigger types across core objects, documents, and contacts.

Managing Webhooks via API

Authentication

All Webhook Endpoint API calls require API authentication.

Authorization: Bearer YOUR_API_TOKEN

Base Endpoint

/api/v1/sites/{site_id}/webhook_endpoints

Supported Webhook Endpoint Operations

Webhook Endpoint Object

Managing Webhooks in Settings

Webhooks can be configured in Tripleseat in Settings > API/Webhooks. Here, you can click the 'Add Webhooks' button and the following trigger types for each object:

// Events:

CREATE_EVENT
UPDATE_EVENT
DELETE_EVENT
REASSIGN_EVENT_LOCATION
REASSIGN_EVENT_AREAS
STATUS_CHANGE_EVENT
CHANGE_EVENT_GUEST_COUNTS
CHANGE_EVENT_DATETIME
REASSIGN_EVENT_OWNERSHIP
REASSIGN_EVENT_CONTACT
REASSIGN_EVENT_ACCOUNT

// Leads:

CREATE_LEAD
CREATE_INTERNAL_LEAD
CONVERT_LEAD
CONVERT_LEAD_TO_BOOKING
LEAD_TURNED_DOWN

// Rooms:

CREATE_ROOM
UPDATE_ROOM

// Tripleseat DirectBook:

ACCEPT_DIRECT_BOOKING
REJECT_DRIECT_BOOKING
CREATE_DIRECT_BOOKING
DIRECT_BOOKING_TERMS_ACCEPTED

// Bookings:

CREATE_BOOKING
DELETE_BOOKING
CHANGE_BOOKING_DATES
CREATE_BOOKING_NOTE
CREATE_BOOKING_TASK
REASSIGN_BOOKING_ACCOUNT
REASSIGN_BOOKING_CONTACT
REASSIGN_BOOKING_OWNERSHIP
REASSIGN_BOOKING_LOCATION
STATUS_CHANGE_BOOKING

// Documents:

SHARE_BOOKING_DOCUMENT
UPDATE_BOOKING_DOCUMENT
CREATE_BOOKING_DOCUMENT
DELETE_BOOKING_DOCUMENT
CREATE_EVENT_DOCUMENT
UPDATE_EVENT_DOCUMENT
SHARED_DOCUMENT
DOCUMENT_SIGNED

// Contacts/Accounts:

UPDATE_ACCOUNT
CREATE_CONTACT
UPDATE_CONTACT
DELETE_CONTACT

// Payments:

PAYMENT_SHARED
PAYMENT_PAID

// Guest Room Blocks (Hotel Customers Only)

CREATE_GUEST_ROOM_BLOCK
UPDATE_GUEST_ROOM_BLOCK
DELETE_GUEST_ROOM_BLOCK

Contact Webhook Behavior

• Fires when a contact is created, updated, or deleted.
• Includes full contact payload.
• Includes social fields (Twitter, Facebook, Instagram, LinkedIn).
• Includes description and websites.
• Does not fire when only timestamp fields change.
• Does not fire when a contact is soft-deleted via deleted_at.

Document Webhooks

Document-related webhooks trigger on document lifecycle events.

• SHARED_DOCUMENT
• DOCUMENT_SIGNED

Shared Document

• Triggers when a document layout is shared.
• Payload includes document_layout.
• Includes booking context.

Document Signed

• Triggers when a signature is created.
• Payload includes document_layout.
• Includes booking context.

What Triggers an "Update" Webhook?

An update webhook triggers when any persisted field on the associated record changes.

• Status changes
• Date/time updates
• Guest count changes
• Room assignments
• Financial updates (if enabled)
• Field-level edits

Webhook evaluation occurs at the data model level, not UI action level.

Webhook Execution Flow

User Action (UI or API)
        │
        ▼
Database Record Updated
        │
        ▼
Webhook Trigger Evaluated
        │
        ▼
Webhook Payload Generated
        │
        ▼
Signature Added (HMAC SHA256)
        │
        ▼
Webhook Delivered
        │
        ▼
Receiver Verifies Signature
        │
        ▼
Application Processes Payload

Webhook Security

Standard Webhooks (HMAC SHA256)

Each webhook request includes an X-Signature header that can be used to verify the legitimacy of the request payload. This is useful to prevent request replays or forged requests. Example signature header:

X-Signature: t=timestamp,v1=hash

1. Extract timestamp and signature
2. Create signed payload
3. Compute HMAC SHA256
4. Compare hashes securely