Skip to main content
Webhooks · Business plan

Marai webhooks in
real time

Receive an HTTPS POST signed with HMAC-SHA256 every time one of the 12 events fires in your calendar: appointments, clients, payments and bookings. For tailor-made integrations with your own stack, no Zapier in between. Available on the Business plan.

  • 12

    Real-time events

    7 appointment, 2 client, 2 payment and 1 booking events. All individually filterable from the dashboard.

  • HMAC-SHA256

    Every payload signed

    X-Marai-Signature header with your personal secret. Impossible to forge requests.

  • SSRF guard

    Designed for production

    Two layers: URL parser + DNS pre-resolution block private IPs and cloud metadata endpoints.

What are Marai webhooks?

They are automatic HTTP POST calls that Marai sends to an HTTPS URL of your choice every time one of the 12 available calendar events fires (new appointment, cancellation, payment received, etc.). Each call includes a JSON body signed with HMAC-SHA256 via the X-Marai-Signature header, so you can verify authenticity before processing. The system is fire-and-forget: if your endpoint fails, Marai’s primary operation is unaffected. Available on the Business plan.

How to configure webhooks

Three steps to connect Marai with any HTTP service that accepts POST requests: your own backend, a serverless function, an internal tool or a middleware.

Enable webhooks on Business plan

From Settings > Integrations > Webhooks (available on Business plan), enable the module and generate a unique HMAC secret for your business. Save it: Marai will not show it again.

Configure URL and events

Provide your destination HTTPS URL and pick the events you want to receive (from the 12 available). If you pick none, Marai sends them all. Adjust the list any time.

Receive POST with signed JSON

From that point on, each event triggers a POST to your URL in under one second. Verify the X-Marai-Signature header against your secret and process the payload. 10s timeout, no automatic retries.

Available events

Twelve events cover the full product lifecycle: scheduling, clients, payments and public bookings. Each can be enabled or disabled individually.

Appointments 7 events
  • appointment.created A new appointment has been created.
  • appointment.confirmed The client has confirmed attendance.
  • appointment.rescheduled Date or time has been changed.
  • appointment.updated A field has been modified (service, professional, notes).
  • appointment.completed The appointment has been marked as completed.
  • appointment.cancelled The appointment has been cancelled.
  • appointment.noShow The client did not show up.
Clients 2 events
  • client.created New client registered in the business.
  • client.updated Client data updated (phone, email, notes, etc.).
Payments 2 events
  • payment.completed Payment successfully processed via Stripe.
  • payment.failed Payment rejected or failed (card, funds, 3D Secure, etc.).
Public bookings 1 event
  • booking.submitted A client has submitted a request from the public booking portal.

Payload structure

Every webhook arrives as POST with a UTF-8 signed JSON body. Structure is stable and implicitly versioned via the "event" field.

appointment.created.json POST application/json
{
  "event": "appointment.created",
  "businessId": "uuid-string",
  "timestamp": "2026-05-07T14:32:18.420Z",
  "data": {
    "appointmentId": "uuid",
    "clientId": "uuid",
    "professionalId": "uuid",
    "serviceId": "uuid",
    "startTime": "2026-05-09T10:00:00.000Z",
    "endTime": "2026-05-09T10:30:00.000Z",
    "status": "PENDING_CONFIRMATION"
  }
}

HTTP headers sent

  • Content-Type application/json
  • User-Agent Marai-Webhooks/1
  • X-Marai-Signature hex(HMAC-SHA256(body, secret))
  • X-Marai-Event appointment.created (event name)
  • X-Marai-Delivery UUID unique per delivery attempt

Webhooks vs Zapier — which one fits?

Both tools connect Marai with the rest of your stack, but they target different profiles. Webhooks give the technical team full control; Zapier is the no-code option for users without developers.

Feature Webhooks Zapier
User type Developer / technical No-code / business
Per-event cost €0 Zapier plan from $19.99
Latency < 1 s ~5-30 s
Available events 12 12
Required Marai plan Business Pro or Business
Automatic retries No (fire-and-forget) Yes (Zapier retries)
Signature verification HMAC-SHA256 Secret URL

Benefits of webhooks

  • True real-time

    Events delivered in under a second. No periodic polling, no added latency.

  • Zero per-event cost

    Unlike Zapier, you don’t pay per task. You connect directly with your own infrastructure.

  • Event-level filtering

    Configure which events you want. If you only care about "appointment.created", that’s the only POST you’ll see.

  • Never affects your calendar

    If your endpoint fails, Marai logs the error but the internal operation stays intact. Fire-and-forget design.

Security by design

Marai treats outbound webhooks as a potential attack surface: every URL goes through two validation layers before each call to prevent SSRF, DNS rebinding and leaks to internal networks. Your endpoint will never receive a call that does not originate from the official dispatcher.

  • HTTPS required
  • HMAC-SHA256 signed
  • 2-layer SSRF guard
  • 10s timeout
  • Cloud metadata blocked (GCP/Azure/AWS)
Activate webhooks on Business

Available exclusively on the Business plan. Cancel any time from the dashboard.

More integrations: WhatsApp · Google Calendar · Stripe · Gmail · Zapier · Microsoft

Frequently asked questions

Which plan includes webhooks?

The Business plan (€99/month). Free, Starter and Pro plans do not include custom webhooks; for those plans the equivalent alternative is the Zapier integration (on the roadmap, coming soon for Pro and Business).

What is the difference between webhooks and Zapier?

Webhooks are the technical option: an HTTPS POST signed with HMAC-SHA256 that hits your own backend. Zero per-event cost, <1s latency, no retries. Zapier is the no-code option: configure Zaps visually, connect with thousands of apps, Zapier retries automatically. Webhooks give full control; Zapier is faster to set up.

How do I verify the HMAC-SHA256 signature?

In your endpoint, compute the HMAC-SHA256 of the request body using your secret as the key. Compare it in constant-time with the value in the X-Marai-Signature header (hex format). If they match, the request is authentic. The dashboard documentation includes Node.js and Python examples.

Are there automatic retries if my endpoint fails?

No. Marai uses a fire-and-forget design: each webhook is sent once with a 10-second timeout. If your endpoint returns an error or does not respond in time, Marai logs it but does not retry. If you need delivery guarantees, queue the incoming webhook and process it on your own system with retries.

Can I receive only certain events?

Yes. From the dashboard you configure a list of events you subscribe to. If the list is empty, Marai sends all 12 events. If you only select the ones you care about, the others are not sent to your endpoint.

Does Marai accept inbound webhooks (from another app to Marai)?

Not directly. Marai is the source of events, not the destination. If you need an external system to create appointments or clients in Marai, the option is the official REST API (authenticated with API key in Settings > Integrations) or the upcoming Zapier integration, where Marai will also appear as an action.