HiringCenter
HiringCenter API

Webhooks

Endpoint:https://api.hiringcenterpro.com/v2

Webhook polling, outbound delivery to your HTTPS endpoints, and signature verification.

For the full outbound delivery contract (HTTP request shape, supported event types such as prospect.created, payload envelope, suppression via muteWebhook, and step-by-step signature verification), see x-outboundWebhookDelivery at the end of this document.

HiringCenter signs outbound webhook requests with the per-webhook endpoint secret and includes:

X-HiringCenter-Signature: t=<unix_timestamp>,v1=<hex_hmac>

During secret-rotation grace windows, the header can contain multiple v1 values:

X-HiringCenter-Signature: t=<unix_timestamp>,v1=<current_hex>,v1=<previous_hex>

Each v1 is computed as:

HMAC_SHA256(endpointSecret, t + "." + rawBody)

Verification rules:

  1. Use the exact raw request body bytes/string (no JSON parse + re-serialize).
  2. Parse t and all v1 values from the header.
  3. Enforce timestamp tolerance (recommended: 300 seconds) for replay protection.
  4. Compute expected signature once: expected = HMAC_SHA256(endpointSecret, t + "." + rawBody).
  5. Compare in constant time.
  6. Accept if any provided v1 matches.
  7. Parse JSON only after signature verification succeeds.

Node.js helper:

JavascriptCode
const crypto = require('crypto'); function parseSignatureHeader(signatureHeader) { if (!signatureHeader || typeof signatureHeader !== 'string') return null; const parts = signatureHeader.split(',').map((part) => part.trim()).filter(Boolean); let timestamp = null; const signatures = []; for (const part of parts) { const [k, v] = part.split('='); if (!k || !v) continue; if (k === 't') { const parsed = Number.parseInt(v, 10); if (Number.isFinite(parsed)) timestamp = parsed; } else if (k === 'v1' && /^[0-9a-fA-F]+$/.test(v)) { signatures.push(v.toLowerCase()); } } if (!timestamp || signatures.length === 0) return null; return { timestamp, signatures }; } function verifyHiringCenterSignature({ rawBody, signatureHeader, endpointSecret, toleranceSeconds = 300 }) { const parsed = parseSignatureHeader(signatureHeader); if (!parsed) return false; const { timestamp, signatures } = parsed; const now = Math.floor(Date.now() / 1000); if (Math.abs(now - timestamp) > toleranceSeconds) return false; const expected = crypto .createHmac('sha256', endpointSecret) .update(`${timestamp}.${rawBody}`) .digest('hex'); for (const candidate of signatures) { try { if (crypto.timingSafeEqual(Buffer.from(expected, 'hex'), Buffer.from(candidate, 'hex'))) { return true; } } catch (_) {} } return false; }

Poll Prospect Feed (Zapier)

GET
https://api.hiringcenterpro.com/v2
/webhooks/poll

Returns pollable prospect data for supported event types (currently prospect.created).

This endpoint is primarily intended for Zapier polling, so the response intentionally uses a flat snake_case prospect record rather than the standard event envelope used by other public API responses.

Timestamp fields in this poll payload are ISO 8601 strings (for example created_at, updated_at).

Poll Prospect Feed (Zapier)query Parameters

  • accountIdstring

    Optional when authentication already resolves account context. Required when the backend cannot infer account context from the authenticated identity.

    Example: 6b3e1a9d4c7f42e8a5d0c1f9b2e7a4c6
  • eventTypestring
    Example: prospect.created
    Default: prospect.created

Poll Prospect Feed (Zapier) Responses

OK

  • idstring
  • first_namestring
  • last_namestring
  • emailstring | null
  • phonestring | null
  • titlestring | null
  • companystring | null
  • street_addressstring
  • citystring
  • statestring
  • postal_codestring
  • countrystring
  • latitudenumber | null
  • longitudenumber | null
  • time_zonestring
  • stage_idstring
  • stage_namestring
  • pipeline_idstring
  • pipeline_namestring
  • office_idstring
  • office_namestring
  • source_idstring
  • source_namestring
  • owner_idstring
  • owner_namestring
  • owner_emailstring
  • labelsstring[]
  • license_statusstring
  • created_atstring | null · date-time
  • updated_atstring | null · date-time
  • starredboolean
  • completed_meetingboolean
  • incomplete_meetingboolean
  • past_meetingboolean
  • upcoming_meetingboolean
  • due_taskboolean
  • future_taskboolean
  • urlstring
  • account_idstring
  • has_emailboolean
  • has_phoneboolean
Additional properties are allowed