Every booking on @calcom fans out into webhooks, emails, SMS, calendar APIs, Salesforce events for enterprise, billing, and fraud checks.
All of it runs on Trigger. Morgan Vernay from the Foundation team on how it works ↓
The booking flow is one piece: Cal runs millions of background tasks per month on Trigger:
→ Booking orchestration
→ AI phishing detection for suspicious links
→ Fraud and user-behavior analysis
→ Google + Microsoft Graph calendar sync
Enterprise customers expect sub-second confirmation. None of that fan-out can block the user.
The orchestrator regenerates the booking from a small payload and passes an encrypted snapshot to children. The snapshot is optional and stays off the Trigger dashboard.
Calendar sync uses concurrency keys + idempotency.
A burst of webhooks for one account collapses into a single reconcile pass. That alone has kept them inside Google Calendar's quota.
Then there's the AI phishing agent. For suspicious bookings, it opens each link in a browser and analyzes it. ~40 seconds per scan, all inside a Trigger workflow.
When a link's flagged, the booking is blocked and the account shut down.
Morgan on the team's relationship with incidents:
"Replays have changed how the team feels about incidents. If something fails, we replay the affected runs in a batch and move on. Nobody is dreading the on-call pager the way they used to."