Medera-Signature | sha256=<hmac> of the body using the per-tenant webhook secret | | | |
Medera-Event | Event name | | | |
Medera-Delivery-Id | Unique delivery ID — use for idempotency | | | |
Medera-Timestamp | Delivery timestamp (verify within ±5 minutes) | Inbound webhooks from external services (Medera Voice, payment processor, the identity provider, payer systems) are verified separately with the source’s own scheme: | Source | Verification |
| :--- | :--- | | | |
| Medera Voice | HMAC-SHA256 (medera-voice-signature) via | | | |
| payment processor | payment processor-Signature | | | |
| the identity provider | HMAC (svix-id, svix-timestamp, svix-signature) | | | |
| Payer | Per-payer HMAC secret | | | |