← Changelog
improved

Verify Webhook Payloads with HMAC Signatures

Why

Anyone who knows your webhook URL can send fake requests to it. Signature verification lets you confirm a payload actually came from Hirevire before you act on it.

What's new

Every webhook request now includes an X-Hirevire-Signature header (t=timestamp,sha256=hmac) and an X-Hirevire-Timestamp header, generated from a signing secret you control. Verify them on your end to reject spoofed or tampered payloads.

Where

  • Job Settings → Advanced Settings → Webhooks

How it works

  1. Open a job's Webhook settings and expand Advanced Settings
  2. Under Signing secret, click Generate (or paste your own secret), then Save
  3. On your endpoint, compute the HMAC-SHA256 of the timestamp, a dot, then the raw request body, and compare the hex digest against the signature in X-Hirevire-Signature

Notes

  • Available on Agency and Platform plans only
  • Each job has its own signing secret
  • Leave the secret blank to disable signing, existing webhooks keep working without it