- Read the request body as-is (UTF-8 text). Do not modify or re-serialize it.
- Get the value of the
X-Telehealth-Signatureheader. The platform sends only the value in lowercase hexadecimal (no prefix likesha256=). - Compute HMAC-SHA256 using the body (UTF-8 bytes) as input and your secret (UTF-8 bytes). Convert the result to lowercase hexadecimal.
- Compare that value with the header (use constant-time comparison). If they do not match, do not process the request and respond with 401 Unauthorized.
- If they match, you can parse the JSON and process the event according to
X-Telehealth-Eventor theeventfield in the body.
Security: Do not trust the payload until you have verified the signature. Skipping this step can allow third parties to send fake events to your URL.