API ReferenceTruemed Sessions

Truemed Session Pending Authorization Webhook

Truemed calls your endpoint when the shopper finishes intake and the session reaches `pending_authorization`. Place the authorization hold on the shopper's card on your own rail, then signal it with the auth-hold endpoint. That starts clinical review. This event fires only on that path. It does **not** fire when: - the cart is fully pre-approved, because it reaches `pending_authorization` on the create response instead, or - you place the hold before the shopper takes the survey (hold-first), because the session skips `pending_authorization` and goes straight from `pending_user_intake` to `pending_truemed_review`. In both cases, read `qualification_status` on the return `GET` instead of waiting for this event; the `GET` is always authoritative. To receive deliveries, subscribe to the `truemed_session.pending_authorization` event type; channels that aren't subscribed get nothing. **Authentication**: Requests are HMAC-SHA256 signed. The `x-truemed-signature` header carries a timestamp and the signature in the form `t=<unix-timestamp>,v0=<hex-signature>`. To verify: take the `t` value from the header, compute HMAC-SHA256 over `<t>.<raw-request-body>` with your webhook signing secret, and compare the hex digest to the `v0` value. Sign the raw body bytes exactly as received, since re-serializing the JSON changes the bytes and breaks the signature. ## Request Notes The payload is a signed envelope: - `webhook_delivery_id` - Deterministic delivery id. Retries of the same delivery repeat the same value, so use it to deduplicate. - `event_type` - Which event this is, one of `truemed_session.pending_authorization` or `truemed_session.truemed_review_complete`. - `occurred_at` - ISO-8601 timestamp of when the event occurred. - `data` - A compact session summary: the session id, user id, qualification status at event time, and session metadata needed for correlation. Read the session for the full qualification and cart picture. - `metadata`: **(Optional)** - JSON-encoded string echoing whatever metadata the merchant supplied at session creation. Omitted if none was supplied. ## Response Notes ### Success Case HTTP Status: `204` You do not need to include any content in the body. ### Failure Case Truemed will retry the requests to your backend with backoff for up to 7 days