Webhook polling, outbound delivery to your HTTPS endpoints, and signature verification.
For the full outbound delivery contract (HTTP request shape, supported event types such as
prospect.created, payload envelope, suppression via muteWebhook, and step-by-step signature
verification), see x-outboundWebhookDelivery at the end of this document.
HiringCenter signs outbound webhook requests with the per-webhook endpoint secret and includes:
X-HiringCenter-Signature: t=<unix_timestamp>,v1=<hex_hmac>
During secret-rotation grace windows, the header can contain multiple v1 values:
X-HiringCenter-Signature: t=<unix_timestamp>,v1=<current_hex>,v1=<previous_hex>
Each v1 is computed as:
HMAC_SHA256(endpointSecret, t + "." + rawBody)
Verification rules:
- Use the exact raw request body bytes/string (no JSON parse + re-serialize).
- Parse
tand allv1values from the header. - Enforce timestamp tolerance (recommended: 300 seconds) for replay protection.
- Compute expected signature once:
expected = HMAC_SHA256(endpointSecret, t + "." + rawBody). - Compare in constant time.
- Accept if any provided
v1matches. - Parse JSON only after signature verification succeeds.
Node.js helper:
Code
Poll Prospect Feed (Zapier)
Returns pollable prospect data for supported event types (currently prospect.created).
This endpoint is primarily intended for Zapier polling, so the response intentionally uses a flat snake_case prospect record rather than the standard event envelope used by other public API responses.
Timestamp fields in this poll payload are ISO 8601 strings (for example
created_at, updated_at).
query Parameters
accountIdstringOptional when authentication already resolves account context. Required when the backend cannot infer account context from the authenticated identity.
Example: 6b3e1a9d4c7f42e8a5d0c1f9b2e7a4c6eventTypestringExample: prospect.createdDefault: prospect.created
Responses
OK
idstringfirst_namestringlast_namestringemailstring | nullphonestring | nulltitlestring | nullcompanystring | nullstreet_addressstringcitystringstatestringpostal_codestringcountrystringlatitudenumber | nulllongitudenumber | nulltime_zonestringstage_idstringstage_namestringpipeline_idstringpipeline_namestringoffice_idstringoffice_namestringsource_idstringsource_namestringowner_idstringowner_namestringowner_emailstringlabelsstring[]license_statusstringcreated_atstring | null · date-timeupdated_atstring | null · date-timestarredbooleancompleted_meetingbooleanincomplete_meetingbooleanpast_meetingbooleanupcoming_meetingbooleandue_taskbooleanfuture_taskbooleanurlstringaccount_idstringhas_emailbooleanhas_phoneboolean

