Navigate to Settings > Apps and Plugins > Webhooks in Recruitee and click + New webhook; enter a name, a HTTPS POST URL, and select the candidate_moved event type.
Note the webhook secret displayed in the configuration dialog; store it securely — it is used to verify all incoming webhook requests.
When Recruitee fires a webhook, it includes X-Recruitee-Signature in the HTTP headers; the value is a base16-encoded HMAC-SHA256 digest computed over the raw request body using the webhook secret.
Verify the signature in your handler by computing HMAC-SHA256(secret, raw_body) and comparing the hex digest to X-Recruitee-Signature using constant-time comparison; reject any request where they do not match.
For stage-change events, parse the event_type (candidate_moved) and event_subtype (stage_changed); the payload.details object contains from_stage and to_stage objects with id, name, and category fields.
Known gotchas
Recruitee retries failed webhook deliveries up to 9 times with exponential backoff over 48 hours; return HTTP 200 quickly and process asynchronously to avoid duplicate processing from retries.
Webhook rate limits differ by plan: trial companies are limited to 100 requests per minute; exceeded requests are delayed by approximately 10 minutes rather than dropped.
The HMAC-SHA256 digest must be computed over the raw (unparsed) request body bytes; parsing JSON first and re-serializing may alter whitespace and invalidate the signature.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp