Overview
Webhooks allow your platform to receive real-time notifications when important events happen:- User connects their calendar
- Meeting is scheduled
- Meeting is rescheduled
- Meeting is cancelled
- User updates preferences
Setup
Configure your webhook URL in the platform settings or via API:Request Body
Webhook Events
Syncline supports 10 webhook event types across 3 categories: User Calendar, Meeting, and Platform events.Event Payload Structure
All webhook events follow this consistent structure:User Calendar Events
user.calendar.connected
Fired when a user successfully connects their Google Calendar via OAuth. Multi-Platform Behavior: If the user is connected to multiple platforms (e.g., Boardy, Luma, Cal.com), ALL platforms receive this webhook.user.calendar.disconnected
Fired when a user revokes calendar access or connection is deleted. Multi-Platform Behavior: ALL platforms that had this user connected receive this webhook.user_requested- User explicitly disconnectedtoken_expired- OAuth token could not be refreshedrevoked- User revoked access from Google
user.calendar.refresh_failed
Fired when OAuth token refresh fails. This is a critical event that indicates the user must re-authenticate via OAuth before any scheduling operations can proceed for this user. When does this happen? Google OAuth refresh tokens can become invalid for several reasons:
Payload:
oauth_url is pre-built with your platform’s publishable key and the user’s email. You can send this URL directly to your user:
Proactive Token Refresh: Syncline automatically refreshes tokens in the background to prevent expiration. This webhook only fires when automatic refresh fails (typically because the user actively revoked access).
Meeting Events
meeting.scheduling.completed
Fired when an async scheduling job (from/v1/schedule/auto) completes successfully. Use the job_id to correlate with your original API request.
meeting.scheduling.failed
Fired when an async scheduling job fails (no availability, token expired, etc.).NO_AVAILABILITY- No overlapping free time foundCALENDAR_NOT_FOUND- Attendee hasn’t connected calendarTOKEN_EXPIRED- Calendar token needs reauthorizationTIMEZONE_ERROR- Could not determine timezoneGOOGLE_API_ERROR- Google Calendar API errorUSAGE_LIMIT_EXCEEDED- Monthly meeting limit reachedINTERNAL_ERROR- Unexpected server error
meeting.scheduled
Fired when a meeting is successfully created.meeting.updated
Fired when a meeting is rescheduled or modified viaPUT /v1/meetings/{id}.
meeting.cancelled
Fired when a meeting is cancelled viaDELETE /v1/meetings/{id}.
Platform Events
platform.usage_warning
Fired when your platform reaches 80% of monthly usage quota.platform.usage_limit_reached
Fired when your platform hits 100% of monthly usage quota.Security
Webhook Signatures
Every webhook includes these headers for verification:HMAC-SHA256(timestamp:payload, secret) where:
timestampis the Unix timestamp fromX-Syncline-Timestampheaderpayloadis the raw request bodysecretis your webhook secret
Getting Your Webhook Secret
- Log in to your developer dashboard
- Go to Settings → Webhooks
- When you create/update your webhook URL, a secret is generated
- Copy and store this secret immediately - it won’t be shown again
- Store it as an environment variable (e.g.,
SYNCLINE_WEBHOOK_SECRET)
Verifying Webhooks - Node.js
Verifying Webhooks - Go
Verifying Webhooks - Python
Security Best Practices
1. Use Environment Variables
2. Validate Before Processing
3. Use HTTPS Only
Configure your webhook URL to use HTTPS, never HTTP:4. Rate Limiting
Implement rate limiting to prevent abuse:5. Secret Rotation
Rotate your webhook secret periodically:- Go to dashboard → Settings → Webhooks
- Click “Regenerate Secret”
- Update your environment variable with the new secret
- Old secret remains valid for 24 hours (zero-downtime rotation)
Why This Is Safe
The verification code shown above is meant to be public. This is the same pattern used by:- Stripe webhooks
- GitHub webhooks
- Twilio webhooks
- Every major API platform
- The secret (kept private in your environment)
- HTTPS encryption (webhook payloads are encrypted in transit)
- Signature verification (proves webhook came from Syncline)
- Generate valid signatures without your secret
- Intercept webhooks (HTTPS encryption)
- Replay old webhooks (timestamp validation)
Webhook Management
Test Webhook
Send a test event to verify your webhook is working:View Webhook Logs
See recent webhook deliveries and their status:Retry Policy
If your webhook endpoint fails:- Immediate retry after 1 second
- Second retry after 10 seconds
- Third retry after 60 seconds
Best Practices
Respond Quickly
Return a 200 OK response as soon as you receive the webhook. Don’t wait for processing to complete:Handle Duplicates
Due to retries, you may receive the same webhook multiple times. Use thetimestamp and event data to deduplicate:
Monitor Webhook Health
Regularly check webhook logs to ensure deliveries are succeeding. Set up alerts for high failure rates.Example Integration
Related Endpoints
Update Webhook Settings
Configure webhook URL and events
View Webhook Logs
Monitor webhook deliveries