Authenticate using OAuth 2.0 by obtaining an access token from the iCIMS authorization server; iCIMS also supports HMAC authentication for some legacy integrations but OAuth 2.0 is the recommended method.
Construct API requests using HTTPS — TLS 1.2 or higher is required; all traffic on lower TLS versions is rejected.
Implement pagination for list endpoints; iCIMS list responses include pagination metadata and can be filtered by attributes such as applicant workflow person ID to scope results.
Respect the default rate limit of 10,000 API calls per day per customer; monitor the X-RateLimit-Reset and remaining calls headers included in each response to track usage and throttle requests proactively.
Design your JSON parsing to treat response payloads as key-value maps and ignore unknown keys — iCIMS may add new JSON fields at any time without versioned notice; strict schema validation will break on additions.
Handle 429 Too Many Requests responses with exponential backoff and use the X-RateLimit-* headers to determine the reset time before retrying.
Known gotchas
The daily rate limit resets at 12:00 AM UTC — integrations that batch-pull data in the hours just before midnight risk exhausting the limit and being blocked until the UTC reset.
iCIMS tenant configurations vary significantly; field names, workflow statuses, and available endpoints differ between customers and even between jobs within the same tenant — always test against the specific tenant configuration rather than assuming generic field names.
iCIMS advises against strict JSON schema validation because new fields are added without versioned breaking changes; integrations that enforce strict schemas will fail silently or loudly when new fields appear.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp