Is your proposal related to a problem?
Yes
I would like to have an event type that is Token Only. Meaning, whilst I have a main event with an event slug, I can't actually use that for making bookings. Only Private Links can be used for this event type.
I sell bundles of time. Some one could by 5 sessions with me at a reduced price. However, I need a way to control the booking through my website. If someone tries to use the main event directly through cal.com it should fail. If I try to do this with an iFrame I have to expose the main slug (it's visible directly in the browser through inspect in dev tools). This means a savvy person could find the link and book with cal.com bypassing my credit validation. The only present way to do this is via a new tab which behaves differently.
Describe the solution you'd like
Allow for an event type that can't be used directly. It can only be used with a Private Link. Hidden is insufficiently secure for this purpose.
Describe alternatives you've considered
My current workaround is to use a new tab but this takes the person away from my site and is an inconsistent experience.
I have also added a "Requires Validation" step, a required field (bookingId) and a webhook. When someone tries to book through cal.com the booking is rejected because they don't have a valid bookingId.
When booked through my site I have the following flow. User logins, clicks make a booking, the site checks credit level >0, calls cal.com API and creates a private link, private link is used to create a booking (using iFrame thus exposing the main slug), booking is requested, webhook responds to my endpoint, endpoint checks the payload for valid bookingId (valid = unique, unused, associated to the private link, <5 mins),
success = accept booking, webhook on booking created sends payload to my endpoint, credit is deducted, user profile refreshed where tehy can see, amend and join the booking.
Failure = reject booking with a message to book via the site and not directly in cal.com
Additional context
(Write your answer here.)
Requirement/Document
(Share it here.)
House rules
- If this issue has a
🚨 needs approval label, don't start coding yet. Wait until a core member approves feature request by removing this label, then you can start coding.
- For clarity: Non-core member issues automatically get the
🚨 needs approval label.
- Your feature ideas are invaluable to us! However, they undergo review to ensure alignment with the product's direction.
- Follow Best Practices lined out in our Contributor Docs
Is your proposal related to a problem?
Yes
I would like to have an event type that is Token Only. Meaning, whilst I have a main event with an event slug, I can't actually use that for making bookings. Only Private Links can be used for this event type.
I sell bundles of time. Some one could by 5 sessions with me at a reduced price. However, I need a way to control the booking through my website. If someone tries to use the main event directly through cal.com it should fail. If I try to do this with an iFrame I have to expose the main slug (it's visible directly in the browser through inspect in dev tools). This means a savvy person could find the link and book with cal.com bypassing my credit validation. The only present way to do this is via a new tab which behaves differently.
Describe the solution you'd like
Allow for an event type that can't be used directly. It can only be used with a Private Link. Hidden is insufficiently secure for this purpose.
Describe alternatives you've considered
My current workaround is to use a new tab but this takes the person away from my site and is an inconsistent experience.
I have also added a "Requires Validation" step, a required field (bookingId) and a webhook. When someone tries to book through cal.com the booking is rejected because they don't have a valid bookingId.
When booked through my site I have the following flow. User logins, clicks make a booking, the site checks credit level >0, calls cal.com API and creates a private link, private link is used to create a booking (using iFrame thus exposing the main slug), booking is requested, webhook responds to my endpoint, endpoint checks the payload for valid bookingId (valid = unique, unused, associated to the private link, <5 mins),
success = accept booking, webhook on booking created sends payload to my endpoint, credit is deducted, user profile refreshed where tehy can see, amend and join the booking.
Failure = reject booking with a message to book via the site and not directly in cal.com
Additional context
(Write your answer here.)
Requirement/Document
(Share it here.)
House rules
🚨 needs approvallabel, don't start coding yet. Wait until a core member approves feature request by removing this label, then you can start coding.🚨 needs approvallabel.