Truemed calls your endpoint when the shopper finishes intake and the session reaches
pending_authorization. Place the authorization hold on the shopper’s card on your own rail, then
signal it with the auth-hold endpoint. That starts clinical review.
This event fires only on that path. It does not fire when:
pending_authorization on the create response
instead, orpending_authorization and goes straight from pending_user_intake to pending_truemed_review.In both cases, read qualification_status on the return GET instead of waiting for this event;
the GET is always authoritative. To receive deliveries, subscribe to the
truemed_session.pending_authorization event type; channels that aren’t subscribed get nothing.
Authentication: Requests are HMAC-SHA256 signed. The x-truemed-signature header carries a
timestamp and the signature in the form t=<unix-timestamp>,v0=<hex-signature>. To verify: take the
t value from the header, compute HMAC-SHA256 over <t>.<raw-request-body> with your webhook
signing secret, and compare the hex digest to the v0 value. Sign the raw body bytes exactly as
received, since re-serializing the JSON changes the bytes and breaks the signature.
The payload is a signed envelope:
webhook_delivery_id - Deterministic delivery id. Retries of the same delivery repeat the same value, so use it to deduplicate.event_type - Which event this is, one of truemed_session.pending_authorization or
truemed_session.truemed_review_complete.occurred_at - ISO-8601 timestamp of when the event occurred.data - A compact session summary: the session id, user id, qualification status at event time,
and session metadata needed for correlation. Read the session for the full qualification and cart
picture.metadata: (Optional) - JSON-encoded string echoing whatever metadata the merchant
supplied at session creation. Omitted if none was supplied.HTTP Status: 204
You do not need to include any content in the body.
Truemed will retry the requests to your backend with backoff for up to 7 days