From 916317195c95a276b487d5b4ce0802118d6f4862 Mon Sep 17 00:00:00 2001 From: Andrey Fedorov Date: Fri, 29 May 2026 10:15:10 +0200 Subject: [PATCH 1/2] docs(prior-auth): document CDS_REQUIRED_HEADERS and CDS_ENABLED_HOOKS --- docs/prior-auth/crd.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/prior-auth/crd.md b/docs/prior-auth/crd.md index a02dcfe..032673f 100644 --- a/docs/prior-auth/crd.md +++ b/docs/prior-auth/crd.md @@ -29,6 +29,26 @@ The service holds the payer's coverage rules: medical policy, formulary tiers, n For a complete local setup example, see [Quickstart: Run locally](../get-started/quickstart-run-locally.md). +## Required headers + +Operators can require specific HTTP headers on every inbound hook request via a comma-separated allowlist. When any listed header is missing or blank, Payerbox rejects the request with `400` and an `OperationOutcome` before reaching the Decision Service. Discovery (`GET /cds-services`) is not gated — only hook POSTs. + +``` +CDS_REQUIRED_HEADERS=x-client-id,x-caller-app +``` + +Header names are case-insensitive. Default (unset) — no header validation, requests pass through. + +## Enabled hooks + +To advertise only a subset of the supported hooks — useful while the upstream Decision Service is implementing CRD incrementally — operators can pass a comma-separated allowlist of hook ids. When set, `GET /cds-services` returns only the listed ids and `POST /cds-services/` returns `404` with an `OperationOutcome`. + +``` +CDS_ENABLED_HOOKS=order-sign-crd,order-select-crd +``` + +Valid ids are `order-sign-crd`, `order-select-crd`, `order-dispatch-crd`, `appointment-book-crd`; matching is case-insensitive. Default (unset) — all four hooks are exposed. + ## Supported hooks | Hook | When it fires | Reference | From 6b931aa78ebf07a34a03dac80d041db5d09b8899 Mon Sep 17 00:00:00 2001 From: Andrey Fedorov Date: Fri, 29 May 2026 10:15:10 +0200 Subject: [PATCH 2/2] docs(prior-auth): document CDS_REQUIRED_HEADERS and CDS_ENABLED_HOOKS --- docs/prior-auth/crd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prior-auth/crd.md b/docs/prior-auth/crd.md index 032673f..5793bed 100644 --- a/docs/prior-auth/crd.md +++ b/docs/prior-auth/crd.md @@ -34,7 +34,7 @@ For a complete local setup example, see [Quickstart: Run locally](../get-started Operators can require specific HTTP headers on every inbound hook request via a comma-separated allowlist. When any listed header is missing or blank, Payerbox rejects the request with `400` and an `OperationOutcome` before reaching the Decision Service. Discovery (`GET /cds-services`) is not gated — only hook POSTs. ``` -CDS_REQUIRED_HEADERS=x-client-id,x-caller-app +CDS_REQUIRED_HEADERS=x-client-id ``` Header names are case-insensitive. Default (unset) — no header validation, requests pass through.