Generate a Workable API access token under Settings > Integrations > API Access Tokens with the r_candidates scope; use base URL https://{subdomain}.workable.com/spi/v3.
POST to /subscriptions with a JSON body specifying the target URL, the event type (e.g., candidate_moved), and optionally a job shortcode or stage to narrow the filter.
Receive incoming webhook POSTs at your registered URL; Workable signs each request with HMAC-SHA256 over the raw request body using either the account token or OAuth application secret as the key, and sends the digest in the X-Workable-Signature header.
Verify the signature by recomputing HMAC-SHA256 of the raw body with your signing key and comparing it to X-Workable-Signature using a constant-time comparison to prevent timing attacks.
Respond with HTTP 200 promptly; Workable retries failed deliveries, so process heavy work asynchronously and return 200 before doing so.
Known gotchas
Workable API v3 (current version, documented at workable.readme.io as v3.19.2) requires scopes set at token creation time; a token without r_candidates cannot subscribe to candidate events.
Rate limits for account tokens and OAuth tokens differ — check the rate-limits reference page at workable.readme.io/reference/rate-limits for current values before building retry logic.
Filtering by job shortcode or stage is only available for candidate-related events, not employee events; applying stage filters to employee event subscriptions returns a 422.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp