Truemed calls your endpoint once per session, when clinical review finishes. Read the session again
to see how it resolved: qualification_status is approved when a clinician approved the qualified
items, or rejected when a clinician declined the request or an initially-eligible item failed
review.
In both cases you capture the hold for the qualified amount and release the rest. The per-item
eligible, pre-approved, and ineligible split on the session’s order_items tells you how much
qualifies. On approved, the qualified amount is eligible_amount_cents +
preapproved_amount_cents. On rejected, the LMN-dependent eligible portion is zeroed, so you
capture only any preapproved_amount_cents (pre-approved items never needed the LMN) and release
the rest, collecting the balance on a regular card as an ordinary, non-HSA/FSA order.
A fully HSA/FSA-ineligible cart reads rejected from creation on every session read. There is
nothing to review, so no event fires for it. To receive deliveries, subscribe to the
truemed_session.truemed_review_complete event type. Channels that aren’t subscribed get nothing.
Authentication: Requests are HMAC-SHA256 signed. The x-truemed-signature header carries a
timestamp and the signature in the form t=<unix-timestamp>,v0=<hex-signature>. To verify: take the
t value from the header, compute HMAC-SHA256 over <t>.<raw-request-body> with your webhook
signing secret, and compare the hex digest to the v0 value. Sign the raw body bytes exactly as
received, since re-serializing the JSON changes the bytes and breaks the signature.
The payload is a signed envelope:
webhook_delivery_id - Deterministic delivery id. Retries of the same delivery repeat the same value, so use it to deduplicate.event_type - Which event this is, one of truemed_session.pending_authorization or
truemed_session.truemed_review_complete.occurred_at - ISO-8601 timestamp of when the event occurred.data - A compact session summary: the session id, user id, qualification status at event time,
and session metadata needed for correlation. Read the session for the full qualification and cart
picture.metadata: (Optional) - JSON-encoded string echoing whatever metadata the merchant
supplied at session creation. Omitted if none was supplied.HTTP Status: 204
You do not need to include any content in the body.
Truemed will retry the requests to your backend with backoff for up to 7 days
Webhook event-type discriminator; the event name carries the qualification transition.
One of:
truemed_session.pending_authorization — The session entered pending_authorization after the shopper completed intake. Place the authorization hold on the card and signal it to start clinical review.truemed_session.truemed_review_complete — Terminal: clinical review finished. Read the session and capture the hold for the qualified amount, which is eligible plus pre-approved when approved and the pre-approved portion only when rejected, then release the remainder.Deterministic delivery ID — retries of the same delivery repeat the same value; use it to deduplicate.
Webhook received successfully (HTTP 204 No Content)