Skip to main content
Webhooks offer a great way to automate the flow with other apps when invitees schedule, cancel or reschedule events, or when the meeting ends.
The webhook subscription allows you to listen to specific trigger events, such as when a booking has been scheduled, for example. You can always listen to the webhook by providing a custom subscriber URL with your own development work. However, if you wish to trigger automations without any development work, you can use the integration with Zapier which connects Cal.com to your apps.

Webhook scope levels

Webhooks can be created at multiple levels of scope, each determining which events they apply to:
  • User-level: Triggers for all event types owned by the user (excluding team-managed types).
  • Event-type level: Triggers only for a specific event type. Useful for fine-grained control.
  • Team-level: Applies to team event types (i.e., Collective and Round Robin) within the specified team.
    In the case of Managed events, bookings are made on the child event types, not the parent team event. Because of this, team-level webhooks will not trigger for managed events unless one of the following is true:
    • You create a webhook directly on the parent event type (recommended), or
    • You create individual webhooks on the child event types (owned by users).
    💡 Note: Users can create webhooks that apply to their own event types, including child events under a managed event, even if a team-level webhook exists.
  • Organization-level: Applies to all team event types across all teams within the organization.

Creating a webhook subscription

To create a new webhook subscription, visit /settings/developer/webhooks and proceed to enter the following details:
  1. Subscriber URL: The listener URL where the payload will be sent to, when an event trigger is triggered. The subscriber URL must meet the following requirements:
    • Cal.com SaaS: Only HTTPS URLs are accepted. HTTP, private/internal IP addresses (e.g., 10.x.x.x, 192.168.x.x, 127.0.0.1), and localhost are blocked.
    • Self-hosted: Both HTTP and HTTPS URLs are accepted, and private IP addresses are allowed for internal webhooks.
    • All environments: Cloud metadata endpoints (e.g., 169.254.169.254) and non-HTTP protocols (e.g., ftp://, file://) are always blocked.
    If your subscriber URL does not meet these requirements, the webhook creation request will be rejected with an error.
  2. Event triggers: You can decide which triggers specifically to listen to. Currently, we offer listening to Booking Cancelled, Booking Created, Booking Rescheduled, Booking Rejected, Booking Requested, Booking Paid, Booking Payment Initiated, Booking No-Show Updated, Meeting Started, Meeting Ended, Recording Ready, Recording Transcription Generated, Instant Meeting Created, Out of Office Created, After Hosts Cal Video No-Show, After Guests Cal Video No-Show, Form Submitted, and Form Submitted (No Event).
  3. Secret: You can provide a secret key with this webhook and then verify it on the subscriber URL when receiving a payload to confirm if the payload is authentic or adulterated. You can leave it blank, if you don’t wish to secure the webhook with a secret key.
  4. Custom Payload: You have the option to customize the payload you receive when a subscribed event is triggered.

Expectations with the triggers

EventTriggers When…
Booking CreatedA new booking is successfully created.
Booking CancelledA booking is cancelled by the host, attendee, or via API.
Booking RejectedA booking request is explicitly rejected by the host.
Booking RequestedA booking requiring confirmation from the host is submitted.
Booking PaidPayment for a booking is completed.
Booking Payment InitiatedA payment attempt is initiated (before confirmation).
Booking No-Show UpdatedA host or attendee is marked as a no-show after the meeting.
Meeting StartedAt the scheduled start time of the meeting. Uses a flat payload format. Automatically cancelled if the booking is cancelled or rescheduled.
Meeting EndedAt the scheduled end time of the meeting. Uses a flat payload format. Automatically cancelled if the booking is cancelled or rescheduled.
Recording ReadyA meeting recording is available and ready to access.
Recording Transcription GeneratedA transcription of the meeting recording is successfully generated.
Instant Meeting CreatedAn instant (ad-hoc) meeting is created.
Out of Office CreatedA user adds a new Out of Office entry to their availability.
After Hosts Cal Video No-ShowThe host did not show up to a Cal Video meeting in the first n minutes, as set up in the configuration.
After Guests Cal Video No-ShowThe attendee did not show up to a Cal Video meeting in the first n minutes, as set up in the configuration.
Form SubmittedA form is submitted as part of a routing form with a scheduled event.
Form Submitted (No Event)A form is submitted without a scheduled event (form-only flow).

Example webhook payloads

Most webhook events use a nested payload format with booking details inside a payload object. The MEETING_STARTED and MEETING_ENDED events use a different flat format where booking fields are at the top level.

Booking events (nested format)

Events like BOOKING_CREATED, BOOKING_CANCELLED, BOOKING_RESCHEDULED, and most other triggers use this format: 
{
    "triggerEvent": "BOOKING_CREATED",
    "createdAt": "2023-05-24T09:30:00.538Z",
    "payload": {
        "type": "60min",
        "title": "60min between Pro Example and John Doe",
        "description": "",
        "additionalNotes": "",
        "customInputs": {},
        "startTime": "2023-05-25T09:30:00Z",
        "endTime": "2023-05-25T10:30:00Z",
        "organizer": {
            "id": 5,
            "name": "Pro Example",
            "email": "owner@acme.com",
            "username": "owner90",
            "usernameInOrg": "owner",
            "timeZone": "Asia/Kolkata",
            "language": {
                "locale": "en"
            },
            "timeFormat": "h:mma"
        },
        "responses": {
            "name": {
                "label": "your_name",
                "value": "John Doe"
            },
            "email": {
                "label": "email_address",
                "value": "john.doe@example.com"
            },
            "location": {
                "label": "location",
                "value": {
                    "optionValue": "",
                    "value": "inPerson"
                }
            },
            "notes": {
                "label": "additional_notes"
            },
            "guests": {
                "label": "additional_guests"
            },
            "rescheduleReason": {
                "label": "reschedule_reason"
            }
        },
        "userFieldsResponses": {},
        "attendees": [
            {
                "email": "john.doe@example.com",
                "name": "John Doe",
                "timeZone": "Asia/Kolkata",
                "language": {
                    "locale": "en"
                }
            }
        ],
        "location": "Calcom HQ",
        "destinationCalendar": {
            "id": 10,
            "integration": "apple_calendar",
            "externalId": "https://caldav.icloud.com/1234567/calendars/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/",
            "userId": 5,
            "eventTypeId": null,
            "credentialId": 1
        },
        "hideCalendarNotes": false,
        "requiresConfirmation": null,
        "eventTypeId": 7,
        "seatsShowAttendees": true,
        "seatsPerTimeSlot": null,
        "uid": "bFJeNb2uX8ANpT3JL5EfXw",
        "appsStatus": [
            {
                "appName": "Apple Calendar",
                "type": "apple_calendar",
                "success": 1,
                "failures": 0,
                "errors": [],
                "warnings": []
            }
        ],
        "eventTitle": "60min",
        "eventDescription": "",
        "price": 0,
        "currency": "usd",
        "length": 60,
        "bookingId": 91,
        "metadata": {},
        "status": "ACCEPTED"
    }
}

Meeting started / meeting ended (flat format)

MEETING_STARTED and MEETING_ENDED webhooks use a flat payload format where booking fields are at the top level alongside triggerEvent, rather than nested inside a payload object. These webhooks are delivered at the scheduled start and end time of the meeting respectively. 
{
    "triggerEvent": "MEETING_STARTED",
    "id": 91,
    "uid": "bFJeNb2uX8ANpT3JL5EfXw",
    "title": "60min between Pro Example and John Doe",
    "description": "",
    "startTime": "2023-05-25T09:30:00.000Z",
    "endTime": "2023-05-25T10:30:00.000Z",
    "location": "https://cal.app/video/abc123",
    "status": "ACCEPTED",
    "paid": false,
    "createdAt": "2023-05-24T09:30:00.538Z",
    "updatedAt": "2023-05-24T09:30:00.538Z",
    "userId": 5,
    "eventTypeId": 7,
    "metadata": {},
    "responses": {
        "name": {
            "label": "your_name",
            "value": "John Doe"
        },
        "email": {
            "label": "email_address",
            "value": "john.doe@example.com"
        }
    },
    "user": {
        "email": "owner@acme.com",
        "name": "Pro Example",
        "username": "owner90",
        "timeZone": "Asia/Kolkata",
        "locale": "en"
    },
    "attendees": [
        {
            "id": 201,
            "name": "John Doe",
            "email": "john.doe@example.com",
            "timeZone": "Asia/Kolkata",
            "locale": "en",
            "noShow": false
        }
    ],
    "payment": [],
    "references": [
        {
            "id": 42,
            "type": "daily_video",
            "uid": "abc123",
            "meetingId": "abc123",
            "meetingUrl": "https://cal.app/video/abc123"
        }
    ]
}
MEETING_STARTED and MEETING_ENDED webhooks do not support custom payload templates. They always send the full booking data in the flat format shown above.
If a booking is cancelled or rescheduled before the meeting time, the scheduled MEETING_STARTED and MEETING_ENDED webhooks for that booking are automatically cancelled.

Subscriber URL requirements

Cal.com validates webhook subscriber URLs to protect against server-side request forgery (SSRF). The validation rules depend on whether you are using Cal.com Cloud or a self-hosted instance. Cal.com Cloud:
  • The subscriber URL must use HTTPS.
  • URLs pointing to private or internal IP addresses (such as 10.x.x.x, 172.16.x.x, 192.168.x.x, or 127.0.0.1) are blocked.
  • Cloud metadata endpoints (such as 169.254.169.254) are blocked.
  • Hostnames that resolve to private IP addresses via DNS are also blocked.
Self-hosted:
  • Both HTTP and HTTPS URLs are accepted, so you can use internal services as webhook targets.
  • Private IP addresses are allowed for internal webhooks.
  • Cloud metadata endpoints are still blocked for security, since self-hosted instances may run on cloud infrastructure.
If your subscriber URL does not meet these requirements, the webhook creation or update request will fail with a 400 error indicating the URL is not allowed.

Verifying the authenticity of the received payload

  1. Simply add a new secret key to your webhook and save.
  2. Wait for the webhook to be triggered (event created, cancelled, rescheduled, or meeting ended)
  3. Use the secret key to create an hmac, and update that with the webhook payload received to create an SHA256.
  4. Compare the hash received in the header of the webhook (X-Cal-Signature-256) with the one created using the secret key and the body of the payload. If they don’t match, the received payload was adulterated and cannot be trusted.

Adding a custom payload template

Customizable webhooks are a great way reduce the development effort and in many cases remove the need for a developer to build an additional integration service. An example of a custom payload template is provided here: 
{
  "content": "A new event has been scheduled",
  "type": "{{type}}",
  "name": "{{title}}",
  "organizer": "{{organizer.name}}",
  "booker": "{{attendees.0.name}}"
}
where {{type}} represents the event type slug and {{title}} represents the title of the event type. Note that the variables should be added with a double parenthesis as shown above. Here’s a breakdown of the payload that you would receive via an incoming webhook, with an exhaustive list of all the supported variables provided below:

Webhook variable list

VariableTypeDescription
triggerEventStringThe name of the trigger event [BOOKING_CREATED, BOOKING_RESCHEDULED, BOOKING_CANCELLED, MEETING_ENDED, BOOKING_REJECTED, BOOKING_REQUESTED, BOOKING_PAYMENT_INITIATED, BOOKING_PAID, MEETING_STARTED, RECORDING_READY, FORM_SUBMITTED]
createdAtDatetimeThe Time of the webhook
typeStringThe event type slug
titleStringThe event type name
startTimeDatetimeThe event’s start time
endTimeDatetimeThe event’s end time
descriptionStringThe event’s description as described in the event type settings
locationStringLocation of the event
organizerOrganizerThe organizer of the event
attendeesAttendee[]The event booker & any guests
uidStringThe UID of the booking
rescheduleUidStringThe UID for rescheduling
cancellationReasonStringReason for cancellation
rejectionReasonStringReason for rejection
team.nameStringName of the team booked
team.membersString[]Members of the team booked
metadataJSONContains a metadata of the booking, including the meeting URL (videoCallUrl) in case of Google Meet and Cal Video

Organizer Structure

VariableTypeDescription
nameStringName of the organizer
emailEmailEmail of the organizer
usernameStringGlobal username of the organizer
usernameInOrgStringUsername of the organizer within their organization (if applicable)
timeZoneStringTimezone of the organizer (“America/New_York”, “Asia/Kolkata”, etc.)
language?.localeStringLocale of the organizer (“en”, “fr”, etc.)

Attendee Structure

VariableTypeDescription
nameStringName of the attendee
emailEmailEmail of the attendee
timeZoneStringTimezone of the attendee (“America/New_York”, “Asia/Kolkata”, etc.)
language?.localeStringLocale of the attendee (“en”, “fr”, etc.)