For enhanced security, you can validate that the webhook is being sent by HireHive. This is a combination of 3 headers (webhook-id, webhook-timestamp and webhook-signature) and is used to allow your server to verify that the request is coming from HireHive. To get the signature, you need to get the webhook secret from the webhook settings. Each webhook has it’s own different secret.

HireHive follows the Standard Webhooks specification for the header signature and payload of webhook request.

The Standard Webhooks specification is a set of conventions to be followed by webhook producers (senders) to provide webhook consumers (receivers) a secure, consistent, and interoperable interface for webhooks. The specification includes both requirements for any compatible implementation and recommendations that are not necessarily required for compatibility, but provide a better experience for the producers, consumers, or both.

Code sample for verifying the signature

All of the headers should be prefixed with webhook- and follow the exact naming as below.

The headers are:

  • webhook-id: the unique webhook identifier.
  • webhook-timestamp: integer unix timestamp (seconds since epoch).
  • webhook-signature: the signature(s) of this webhook.

The signature header is a space delimited list of signatures associated with this webhook. The reason it is a list, and not just one signature is to support zero downtime secret rotation. The secret key used for the signature should not be changed under normal circumstances, but it may be required that it does change under some circumstances (e.g. compromise). Supporting zero downtime secret rotation means that webhook operations won’t be affected during the secret rotation process.

webhook-id: msg_2KWPBgLlAfxdpx2AI54pPJ85f4W
webhook-timestamp: 1674087231
webhook-signature: v1,K5oZfzN95Z9UVu1EsfQmfVNQhnkZ2pj9o9NDN/H/pI4=
For code samples in other languages, check out the Standard Webhooks repo

Was this page helpful?

Suggest editsRaise issue
OverviewWebhook retries