Webhooks
Receive real-time notifications when events occur in your Park Graph account. Webhooks are signed with HMAC-SHA256 for security.
Last updated June 2026
Setup
Configure webhooks in your dashboard. Provide an HTTPS endpoint URL and select the events you want to receive.
Events
Subscribe to one or more of the seven event types delivered by the /api/v1/webhooks management endpoint:
session.createdA new parking session was created (driver, agent, or API)session.endedA session was ended and final amount was capturedsession.extendedA session duration was extendedpayment.completedPayment was successfully capturedpayment.failedPayment capture failed and requires actionlot.updatedLot details, status, or pricing were modifiedoccupancy.changedLot occupancy crossed a configured thresholdSubscribe via API
Programmatically register a webhook endpoint and choose the events you want to receive:
curl -X POST https://parkgraph.com/api/v1/webhooks \
-H "Authorization: Bearer pk_live_..." \
-H "Content-Type: application/json" \
-d '{
"url": "https://example.com/webhooks/parkgraph",
"events": ["session.created", "session.ended", "payment.completed"]
}'Payload Format
{
"id": "evt_abc123",
"type": "session.created",
"created_at": "2026-04-30T10:00:00Z",
"data": {
"session_id": "uuid",
"session_code": "PG-VV7891",
"lot_id": "uuid",
"lot_name": "Vail Village Parking",
"vehicle_plate": "CO-7891",
"effective_rate": 8.00,
"rate_unit": "hour",
"duration_hours": 2,
"source": "agent",
"agent_name": "claude"
}
}{
"id": "evt_def456",
"type": "payment.completed",
"created_at": "2026-04-30T11:45:00Z",
"data": {
"session_id": "uuid",
"subtotal": 14.00,
"platform_fee": 1.40,
"owner_payout": 12.60,
"currency": "usd",
"payment_intent_id": "pi_..."
}
}Signature Verification
Every webhook includes an X-Park-Graph-Signature header whose value is sha256=<hex>. Strip the sha256= prefix, recompute the HMAC over the raw request body, and compare to verify the webhook is authentic. Each delivery also carries X-Park-Graph-Event (the event type) and X-Park-Graph-Delivery (the event id, stable across retries).
import crypto from "crypto";
function verifyWebhook(rawBody, signatureHeader, secret) {
// Header arrives as "sha256=<hex>" — strip the scheme prefix.
const received = signatureHeader?.startsWith("sha256=")
? signatureHeader.slice("sha256=".length)
: signatureHeader;
const expected = crypto
.createHmac("sha256", secret)
.update(rawBody)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(received),
Buffer.from(expected)
);
}
// In your endpoint handler (verify against the RAW request body):
const isValid = verifyWebhook(
rawBody,
req.headers["x-park-graph-signature"],
"whsec_..."
);Retry Policy
Webhooks are retried up to 6 times with exponential backoff (1s, 5s, 30s, 5m, 30m, 2h).
Your endpoint must return a 2xx status within 30 seconds.
After 10 consecutive failures, the webhook is automatically paused.
Security model
The Park Graph webhooks sits behind the same security perimeter as the dashboard and the public website. The notes below summarise the controls that apply to every webhooks request; a deeper write-up lives in the developer changelog.
Authentication
Every authenticated request carries an API key in the Authorization header (`Bearer pk_live_…`). Keys are issued per project from /dashboard/api-keys. Rotation is an HTTP DELETE + re-create in the dashboard; old keys are revoked immediately. Live and sandbox keys use the `pk_live_` and `pk_test_` prefixes so they cannot be confused in code review.
Transport security
TLS 1.3 with HSTS preloaded on every host (parkgraph.com, *.parkgraph.com). Plaintext requests are rejected at the edge with HTTP 426. Certificates are issued through the public Let's Encrypt CA and pinned in the CT logs.
Payment handling
Card data is tokenised inside Stripe Elements on the driver's device — Park Graph never observes raw PANs and is therefore SAQ-A scope. Sessions reference Stripe PaymentIntents by id only; webhooks are signed by Stripe using HMAC-SHA256 and verified server-side before any state change.
Data retention
Driver email addresses and license plates are retained for the lifetime of the operator's relationship with Park Graph (or 30 days after a verified delete request, whichever comes first). Search-only requests with no booking outcome are anonymised after 24 hours. Aggregated occupancy data has no personal identifiers and is retained indefinitely.
Audit trail
Every write — session create, end, extend, refund, rate change, agent registration — appends an immutable row to the audit_log table with actor type, actor id, and the diff. The log is exposed to operators through the dashboard activity feed and via a per-lot CSV export. Deletes are tombstoned, not hard-removed.
Rate limits
Limits are enforced per API key (or per IP for unauthenticated reads) using a rolling token bucket. Every response carries X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers; 429 responses additionally carry Retry-After. Bursts above the per-minute budget should be backed off with jitter — the official SDK does this automatically.
| Scope | Budget | Window |
|---|---|---|
| Public read endpoints (search, lot detail, health) | 120 requests | per IP per minute |
| Authenticated read endpoints (sessions, payouts, webhooks) | 600 requests | per API key per minute |
| Authenticated write endpoints (create / end / extend session, refunds) | 120 requests | per API key per minute |
| Sandbox endpoints (`pk_test_…` keys) | 30 requests | per key per minute |
Need a higher ceiling? Email developers@parkgraph.com with your projected throughput and we will lift the burst budget on a per-key basis.
Error codes
Every error response uses the same envelope: { "error": { "code": "…", "message": "…", "request_id": "req_…" } }. The HTTP status indicates the broad class; the code field disambiguates within a class. Surface the request_id to your support team — we can look up the full server-side trace by id alone.
| Code | HTTP status | Meaning |
|---|---|---|
| BAD_REQUEST | 400 | Required parameter missing or out of range. Response body lists the offending field. |
| UNAUTHORIZED | 401 | Missing or malformed Authorization header. Send `Authorization: Bearer pk_live_…`. |
| FORBIDDEN | 403 | API key is valid but the plan does not include this scope (e.g. agent or intelligence endpoints on Starter). |
| NOT_FOUND | 404 | Lot, session, or webhook id does not exist or has been deleted. |
| CONFLICT | 409 | Idempotent retry of a non-terminal session, or attempt to end an already-completed session. |
| RATE_LIMITED | 429 | Per-key burst budget exceeded. Inspect `Retry-After` and back off. |
| PAYLOAD_TOO_LARGE | 413 | Webhook delivery body or batch upload exceeds 1 MB. |
| INTERNAL | 500 | Unexpected server error. Park Graph automatically opens an incident and retries idempotent writes. |
| BAD_GATEWAY | 502 | Upstream payment processor returned an error. Safe to retry with the same idempotency key. |
AI-agent use cases
Park Graph is built for agentic distribution: every commercial endpoint (search, availability, rates, sessions, refunds) is callable by an LLM through MCP, OpenAI Actions, Gemini function declarations, xAI function calling, Perplexity Agent API, or Microsoft Copilot plugins. The grid below maps the most common agent-driven workflows on top of the webhooks.
Conversational booking
An end user asks ChatGPT, Claude, Gemini, Grok, or Perplexity to find parking near a destination. The model calls /lots/search, summarises 3-5 lots with prices and walking distance, then on confirmation calls /sessions to start a session and returns the QR-coded receipt URL.
Travel-app companion
A flight-booking or hotel-booking assistant pre-fetches arrival-airport parking for the trip dates and displays inline lot suggestions inside its itinerary view. The same surface backs in-app booking and a fallback web checkout.
Voice-first ordering
Realtime voice assistants (e.g. gpt-realtime, Gemini Live, Grok Voice) confirm a lot, plate, and duration verbally, then call /sessions and read back the session code. Drivers never touch a screen until they walk away from the car.
Fleet dispatcher
An autonomous-vehicle fleet (rideshare, delivery, robotaxi) holds AV-fleet allocations with /av-fleet/dispatch, then commits the spot at handoff. See /developers/av-fleet for the AV-specific contract.
Procurement / expense agent
An accounts-payable agent reconciles staff parking against company-card statements by querying /sessions/search by plate, then files reimbursements through the agent's own ledger.
City planning analytics
A research agent queries /api/v2/intelligence/market-rate and /api/v2/intelligence/agent-demand for an address corridor, then drafts a report on rate elasticity and AI-agent traffic.
Architecture
Every Park Graph request — whether it arrives from the webhooks, the dashboard, the QR-driven mobile checkout, or an agent — runs through the same Next.js Edge front door, hits the same Postgres-backed core, and shares the same audit log and webhook fan-out. There is no divergent code path between "agent traffic" and "human traffic": anything an agent can do, a human can do, and vice versa.
Sandbox & getting help
Every operator gets a sandbox key prefixed with pk_test_. Sandbox traffic uses Stripe test mode, synthetic lots, and never charges a real card. Spin one up at /developers/sandbox, then point your client at https://parkgraph.com/api/v1 exactly as you would in production.
For integration help, reach the developer team at developers@parkgraph.com or open an issue on the public GitHub org. Status and incident history live at /developers/changelog; subscribe to the JSON feed for machine-readable updates.