Feature Requests

Option for Static Webhook Secret or Raw Payload Support
Summary It is currently difficult to reliably verify SavvyCal webhook signatures when using certain frameworks. Since the HMAC signature is generated from the exact raw request payload , if only the parsed JSON is available, the signature cannot be reproduced. This makes proper verification impossible in those environments. --- ### Problem * Signature verification requires the raw string of the request body. * Many frameworks parse the JSON body before user code can access it. * Once parsed, the original raw string (with its exact whitespace, key ordering, and encoding) is lost. * Attempting to JSON.stringify the parsed body is unreliable and does not consistently match the string SavvyCal used. * As a result, webhook authenticity cannot be guaranteed in these setups. --- ### Why This Matters * Security: Without reliable verification, webhook endpoints are vulnerable to spoofed requests. * Developer Experience: Many developers integrating with SavvyCal don’t have low-level access to the raw request body. This creates friction and prevents secure usage. --- ### Suggested Solutions #### 1. Static Secret Verification (Preferred) Provide an option for webhooks to include a static, pre-shared secret header (e.g., x-savvycal-secret ) instead of an HMAC over the body. * This is simpler to implement in environments without raw-body access. * Security is still strong, provided HTTPS is used and the secret is sufficiently random. * Many webhook providers offer this as a fallback option for exactly this reason (e.g., Slack’s signing secret vs GitHub’s secret ). #### 2. Dual Signature Headers Include both: * The existing x-savvycal-signature (HMAC of raw body). * An optional x-savvycal-secret (static). This would keep backward compatibility while giving developers flexibility. #### 3. Optional Canonical JSON Serialization If sticking with HMAC verification only, provide a guarantee that the body is always serialized using a canonical JSON format (no whitespace differences, predictable key ordering, UTF-8 encoding). * This would allow developers to JSON.stringify the parsed object and reliably match your HMAC. * While less flexible, it makes signature verification feasible without needing raw-body access. --- ### Benefits * Broader compatibility with modern frameworks and headless CMS platforms. * Easier onboarding for developers integrating webhooks. * Improved security posture, since more teams would be able to verify webhooks correctly instead of skipping verification.
0
Enhanced Multi-Calendar Sync for blocked availability in native calendars for colleages
Dear SavvyCal Team, I am writing to propose a significant feature enhancement that would greatly benefit users with complex, multi-organizational calendar needs, like myself. My Scenario: As a freelancer, my schedule is distributed across several Google Calendars: My primary Google Calendar (my main calendar, which some colleagues check directly). - A personal Google Calendar. - My own company's Google Workspace calendar. Three separate Google Workspace calendars, one for each of the different client companies I work with. Current Functionality and Its Limitation: SavvyCal excels at aggregating availability from all these connected calendars to present a consolidated view on my SavvyCal booking links. This is incredibly useful for external parties who use my links to schedule meetings. However, a crucial challenge arises because my colleagues within these various companies (including my own and the client organizations) do not always use my SavvyCal booking link. Instead, they often check my availability directly within their native calendar applications, which primarily view my main Google Calendar. The Problem: Currently, if I have an event in one of my client's calendars, or my personal calendar, that time is correctly shown as "unavailable" on my SavvyCal booking page. However, this "busy" status does not automatically reflect as a blocked event in my primary Google Calendar. This means colleagues looking at my primary calendar directly see me as free, leading to potential scheduling conflicts, double-bookings, and a frustrating back-and-forth to clarify availability. Proposed Feature: Specialized Calendar Synchronization I propose that SavvyCal develop a feature that allows users to designate a "master" or "primary" Google Calendar, and then automatically write "busy" events into this master calendar based on busy times detected in all other connected calendars. Essentially, SavvyCal would act as a sophisticated calendar synchronization tool for the user's own calendar ecosystem. This would involve: Identifying busy slots across all connected calendars (personal, own company, client companies). _ Creating a "busy" or "tentative" block (perhaps with customizable event titles like "Busy - External Meeting") in the designated primary Google Calendar for these times. Ensuring these blocks are updated dynamically as my external calendar events change. Benefits: - True Availability Reflection: My primary Google Calendar would accurately reflect my true availability, regardless of which underlying calendar holds the blocking event. Reduced Conflicts: Colleagues checking my primary calendar directly would immediately see when I'm genuinely unavailable, minimizing scheduling errors. Improved Collaboration: Streamlines internal scheduling processes across different organizations. Enhanced User Experience: Eliminates the need for manual blocking or relying on separate, third-party synchronization tools. This enhancement would transform SavvyCal from solely an external booking tool into a comprehensive personal availability management hub, providing immense value to users like myself.
1
Easier Workflow for Booking on Behalf of Clients
I’ve been using SavvyCal for my coaching business and love how smooth the booking experience is for clients using my public links. That said, there's one part of the workflow that's very cumbersome: booking sessions on behalf of clients. When I am at the end of my coaching call, I like to coordinate and book our next coaching session. Right now, my public booking links show limited availability by design. But when I’m manually scheduling for a client, I often want to give them access to "unpublished" availability. To make that work, I currently have to: Manually add a time override to make the hidden time slot bookable Open the link in an incognito window (so SavvyCal doesn’t assume I’m booking for myself) Fill in their name and email manually It works — but it’s clunky and time-consuming. And I find it difficult to do while the client is still on the call. What I’d love to see: A way to schedule directly from the admin dashboard, where I can: Choose the time slot (even if it’s outside public availability) Enter client name/email Hook them into that booking link so they get confirmation, reminders, and rescheduling links, etc, as if they had booked it themselves. This would streamline the workflow significantly for those of us who both share public booking links and book more customized sessions for our clients. I am considering moving to Acuity or some other system as a result of this. I still need to determine what alternatives exist, but this is not sustainable for me.
7
·

planned

Load More