Webhooks

When an event fires, we POST a JSON payload to your URL with these headers:

X-Webhook-Event: book.completed
X-Webhook-Signature: sha256=<HMAC of body using your secret>
Content-Type: application/json

Verify the signature: hmac_sha256(secret, body) === signature

Retry policy: 3 attempts with exponential backoff (1s, 5s, 25s). After 3 failures, the webhook is disabled.