Skip to Content
API ReferenceRimo Webhooks

Rimo Webhooks

The Patient Graph API receives webhooks from Rimo Health for treatment and prescription lifecycle events. Webhooks are authenticated via HMAC-SHA256 signatures.

Endpoint

POST https://patient-graph.loop.health/webhooks/rimo

Authentication: HMAC-SHA256 signature (no Clerk JWT).

Signature Verification

Every webhook request includes two headers:

HeaderDescription
X-Rimo-SignatureHMAC-SHA256 hex digest of the request body
X-Rimo-TimestampUnix timestamp of when the event was generated

Verification Steps

  1. Check X-Rimo-Timestamp is within 5 minutes of current time
  2. Compute HMAC-SHA256(timestamp + "." + body, RIMO_WEBHOOK_SECRET)
  3. Compare computed signature with X-Rimo-Signature
  4. Reject if signatures don’t match

Example Verification (Node.js)

import { createHmac } from 'crypto';
 
function verifySignature(body: string, timestamp: string, signature: string): boolean {
  const payload = `${timestamp}.${body}`;
  const expected = createHmac('sha256', process.env.RIMO_WEBHOOK_SECRET!)
    .update(payload)
    .digest('hex');
  return expected === signature;
}

Event Types

treatment.created

Fired when a new treatment is created in Rimo Health.

{
  "id": "evt_abc123",
  "type": "treatment.created",
  "data": {
    "treatmentId": "rimo_treat_456",
    "customerId": "prof_abc123",
    "offeringName": "TRT Protocol",
    "status": "pending"
  },
  "timestamp": "2024-06-15T12:00:00Z"
}

treatment.approved

Fired when a clinician approves a treatment.

{
  "id": "evt_def456",
  "type": "treatment.approved",
  "data": {
    "treatmentId": "rimo_treat_456",
    "customerId": "prof_abc123",
    "clinicianId": "dr_smith",
    "clinicianName": "Dr. Smith",
    "approvedAt": "2024-06-15T14:00:00Z"
  },
  "timestamp": "2024-06-15T14:00:00Z"
}

order.transmitted

Fired when a prescription order is sent to the pharmacy.

{
  "id": "evt_ghi789",
  "type": "order.transmitted",
  "data": {
    "orderId": "rimo_ord_789",
    "treatmentId": "rimo_treat_456",
    "customerId": "prof_abc123",
    "medications": [
      {
        "name": "Testosterone Cypionate",
        "dosage": "200mg/mL",
        "quantity": 1
      }
    ]
  },
  "timestamp": "2024-06-16T09:00:00Z"
}

order.shipped

Fired when the pharmacy ships an order.

{
  "id": "evt_jkl012",
  "type": "order.shipped",
  "data": {
    "orderId": "rimo_ord_789",
    "trackingNumber": "1Z999AA10123456784",
    "carrier": "UPS",
    "estimatedDelivery": "2024-06-19"
  },
  "timestamp": "2024-06-17T10:00:00Z"
}

charge.captured

Fired when payment is captured for an order.

{
  "id": "evt_mno345",
  "type": "charge.captured",
  "data": {
    "orderId": "rimo_ord_789",
    "amount": 14999,
    "currency": "usd"
  },
  "timestamp": "2024-06-15T14:30:00Z"
}

Idempotency

Webhook events are deduplicated by id. If the same event ID is received more than once, subsequent deliveries are ignored (in-memory deduplication).

Health Check

curl https://patient-graph.loop.health/webhooks/rimo/health
{
  "status": "ok"
}

Environment Variables

RIMO_WEBHOOK_SECRET=your-rimo-webhook-secret
Rimo SSOHealth Data API