Signaling is the coordination layer of a WebRTC call — everything two endpoints must exchange before any audio or video can flow. WebRTC (the open standard browsers use for real-time media) handles the media path itself, but it deliberately does not standardize how the two sides find each other and agree on terms. That negotiation traffic is signaling: the session descriptions (SDP) that state what codecs and parameters each side offers and answers, the ICE candidates that list possible network paths between them, and call-control events like ring, join, mute, and hang-up.
Because the standard leaves the channel open, your application supplies it — most platforms run a WebSocket connection from each client to their own signaling server, which relays messages between participants and tracks who is in which call. This server is part of your product, not part of WebRTC, so its reliability, scaling, and security are your responsibility.
In telemedicine the important consequence is that signaling is part of the compliance surface, not a neutral plumbing detail. Signaling payloads routinely reference identities, appointment context, and room membership — who is joining which patient's consultation — which is sensitive even before any clinical media is exchanged. That traffic must travel over TLS, the signaling server must authenticate participants before admitting them to a room, and the relevant events belong in audit logs. The common mistake is hardening the encrypted media path while treating signaling as a low-stakes side channel, leaving call metadata that maps patients to providers exposed or unaudited.
