Webhooks
Sidedoor consumes a single webhook: Stripe. It is platform-managed - Sidedoor runs the endpoint, verifies it and fulfils payments on your behalf. You do not host it, and there is nothing to configure as an operator. This page documents it for completeness.
The Stripe webhook
Section titled “The Stripe webhook”| Method | Path | Purpose | Auth |
|---|---|---|---|
| POST | /api/webhooks/stripe |
Receive Stripe events and fulfil payments | signature |
Stripe delivers events to POST /api/webhooks/stripe. The request is not a
bearer-authenticated API call; instead it is verified by its
Stripe-Signature header.
Signature verification
Section titled “Signature verification”Every delivery carries a Stripe-Signature header containing a timestamp (t)
and one or more HMAC-SHA256 signatures (v1). Sidedoor recomputes the HMAC
over "{timestamp}.{raw_body}" using the endpoint’s signing secret and compares
it - in constant time - against the header. A mismatch, or a stale timestamp, is
rejected. The raw request body must be used exactly as received; any
re-serialisation would break the signature.
// Illustrative - Sidedoor performs this server-side.import crypto from "node:crypto";
function verifyStripe(rawBody, signatureHeader, signingSecret) { const parts = Object.fromEntries( signatureHeader.split(",").map((kv) => kv.split("=")), ); const expected = crypto .createHmac("sha256", signingSecret) .update(`${parts.t}.${rawBody}`) .digest("hex"); return crypto.timingSafeEqual( Buffer.from(expected), Buffer.from(parts.v1), );}Events consumed
Section titled “Events consumed”Sidedoor acts on two Checkout events:
| Event | Effect |
|---|---|
checkout.session.completed |
Fulfil the paid item - booking deposit, event booking, voucher purchase, keys top-up or membership. Fulfilment is idempotent, so a redelivered event does not double-fulfil. |
checkout.session.expired |
Release the pending booking or intent that was awaiting payment. |
Card-hold deposits (authorise-and-capture on the reservation floor) are handled synchronously through the booking API and are not driven by this webhook.
Payouts
Section titled “Payouts”Sidedoor operates the platform Stripe account and this webhook. Operators are paid out via Stripe Connect - charges are made as Connect destination charges with a platform fee, and funds settle to your connected account. Connect onboarding and payout status live under Payouts.