Skip to Content
Webhook IntegrationAuthentication

Authentication

Every request in both directions requires two headers: an API key and an HMAC-SHA256 body signature.

Required headers

PropertyTypeDescription
X-API-Key*
stringYour assigned API key. Identifies the caller and determines which organization the request belongs to.
X-Webhook-Signature*
stringHMAC-SHA256 signature of the raw JSON request body, formatted as sha256=<hexdigest>. Proves the body has not been tampered with and confirms the sender's identity.
* Required field

The API key also determines the organization the request belongs to. You do not need to send an organization identifier in the request body.

How signature verification works

Click to expand

Request signing step-by-step

  1. Build your JSON request body as a UTF-8 encoded string.
  2. Compute the HMAC-SHA256 hex digest using the signing key as the secret.
  3. Prepend sha256= to the hex digest.
  4. Set the result as the X-Webhook-Signature header value.

Code examples

Python

import hmac
import hashlib
import json
import requests
 
API_KEY = "your-api-key"
SIGNING_KEY = "your-signing-key"
 
payload = {
    "appointments": [
        {
            "appointment": {
                "id": "apt-001",
                "status": "booked",
                "start_time": "03/10/2026 09:00",
            },
            "patient": {
                "id": "pat-001",
                "first_name": "Jane",
                "last_name": "Doe",
            },
            "practitioner": {
                "id": "prov-001",
                "first_name": "John",
                "last_name": "Smith",
            },
        }
    ]
}
 
body_string = json.dumps(payload, separators=(",", ":"), ensure_ascii=False)
 
signature = "sha256=" + hmac.new(
    SIGNING_KEY.encode("utf-8"),
    body_string.encode("utf-8"),
    hashlib.sha256,
).hexdigest()
 
response = requests.post(
    "https://integrations.api.insighthealth.ai/v2/webhooks/nexus/sync-appointments",
    data=body_string,
    headers={
        "Content-Type": "application/json",
        "X-API-Key": API_KEY,
        "X-Webhook-Signature": signature,
    },
)

Node.js

const crypto = require('crypto');
const axios = require('axios');
 
const API_KEY = 'your-api-key';
const SIGNING_KEY = 'your-signing-key';
 
const payload = {
  appointments: [
    {
      appointment: {
        id: 'apt-001',
        status: 'booked',
        start_time: '03/10/2026 09:00',
      },
      patient: { id: 'pat-001', first_name: 'Jane', last_name: 'Doe' },
      practitioner: { id: 'prov-001', first_name: 'John', last_name: 'Smith' },
    },
  ],
};
 
const bodyString = JSON.stringify(payload);
 
const signature =
  'sha256=' +
  crypto
    .createHmac('sha256', SIGNING_KEY)
    .update(bodyString, 'utf8')
    .digest('hex');
 
axios.post(
  'https://integrations.api.insighthealth.ai/v2/webhooks/nexus/sync-appointments',
  bodyString,
  {
    headers: {
      'Content-Type': 'application/json',
      'X-API-Key': API_KEY,
      'X-Webhook-Signature': signature,
    },
  }
);

cURL

BODY='{"appointments":[{"appointment":{"id":"apt-001","status":"booked"},"patient":{"id":"pat-001","first_name":"Jane","last_name":"Doe"}}]}'
 
SIG="sha256=$(echo -n "$BODY" | openssl dgst -sha256 -hmac "your-signing-key" | cut -d' ' -f2)"
 
curl -X POST "https://integrations.api.insighthealth.ai/v2/webhooks/nexus/sync-appointments" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: your-api-key" \
  -H "X-Webhook-Signature: $SIG" \
  -d "$BODY"
Last updated on
OnboardingSync Appointments