HiringCenter API

Webhooks

Endpoint:https://api.hiringcenterpro.com/v2

Webhook security and testing endpoints.

HiringCenter signs outbound webhook requests with the per-webhook endpoint secret and includes:

X-HiringCenter-Signature: t=<unix_timestamp>,v1=<hex_hmac>

During secret-rotation grace windows, the header can contain multiple v1 values:

X-HiringCenter-Signature: t=<unix_timestamp>,v1=<current_hex>,v1=<previous_hex>

Each v1 is computed as:

HMAC_SHA256(endpointSecret, t + "." + rawBody)

Verification rules:

Use the exact raw request body bytes/string (no JSON parse + re-serialize).
Parse t and all v1 values from the header.
Enforce timestamp tolerance (recommended: 300 seconds) for replay protection.
Compute expected signature once: expected = HMAC_SHA256(endpointSecret, t + "." + rawBody).
Compare in constant time.
Accept if any provided v1 matches.
Parse JSON only after signature verification succeeds.

Node.js helper:

Code
 
const crypto = require('crypto');

function parseSignatureHeader(signatureHeader) {
  if (!signatureHeader || typeof signatureHeader !== 'string') return null;
  const parts = signatureHeader.split(',').map((part) => part.trim()).filter(Boolean);

  let timestamp = null;
  const signatures = [];

  for (const part of parts) {
    const [k, v] = part.split('=');
    if (!k || !v) continue;
    if (k === 't') {
      const parsed = Number.parseInt(v, 10);
      if (Number.isFinite(parsed)) timestamp = parsed;
    } else if (k === 'v1' && /^[0-9a-fA-F]+$/.test(v)) {
      signatures.push(v.toLowerCase());
    }
  }

  if (!timestamp || signatures.length === 0) return null;
  return { timestamp, signatures };
}

function verifyHiringCenterSignature({ rawBody, signatureHeader, endpointSecret, toleranceSeconds = 300 }) {
  const parsed = parseSignatureHeader(signatureHeader);
  if (!parsed) return false;

  const { timestamp, signatures } = parsed;
  const now = Math.floor(Date.now() / 1000);
  if (Math.abs(now - timestamp) > toleranceSeconds) return false;

  const expected = crypto
    .createHmac('sha256', endpointSecret)
    .update(`${timestamp}.${rawBody}`)
    .digest('hex');

  for (const candidate of signatures) {
    try {
      if (crypto.timingSafeEqual(Buffer.from(expected, 'hex'), Buffer.from(candidate, 'hex'))) {
        return true;
      }
    } catch (_) {}
  }

  return false;
}

Poll Prospect Feed (Zapier)

GET

https://api.hiringcenterpro.com/v2

/webhooks/poll

Returns pollable prospect data for supported event types (currently prospect.created).

This endpoint is primarily intended for Zapier polling, so the response intentionally uses a flat snake_case prospect record rather than the standard event envelope used by other public API responses.

Timestamp fields in this poll payload are ISO 8601 strings (for example created_at, updated_at).

Poll Prospect Feed (Zapier) › query Parameters

accountIdstring
Optional when authentication already resolves account context. Required when the backend cannot infer account context from the authenticated identity.
Example: 6b3e1a9d4c7f42e8a5d0c1f9b2e7a4c6
eventTypestring
Example: prospect.created
Default: prospect.created

Poll Prospect Feed (Zapier) › Responses

idstring
first_namestring
last_namestring
emailstring | null
phonestring | null
titlestring | null
companystring | null
street_addressstring
citystring
statestring
postal_codestring
countrystring
latitudenumber | null
longitudenumber | null
time_zonestring
stage_idstring
stage_namestring
pipeline_idstring
pipeline_namestring
office_idstring
office_namestring
source_idstring
source_namestring
owner_idstring
owner_namestring
owner_emailstring
labelsstring[]
license_statusstring
created_atstring | null · date-time
updated_atstring | null · date-time
starredboolean
completed_meetingboolean
incomplete_meetingboolean
past_meetingboolean
upcoming_meetingboolean
due_taskboolean
future_taskboolean
urlstring
account_idstring
has_emailboolean
has_phoneboolean

Additional properties are allowed

Account