In Greenhouse Recruiting, navigate to Configure > Dev Center > Web Hooks and create a new webhook, supplying your HTTPS endpoint URL and a secret key you generate
Greenhouse will POST a JSON body to your endpoint for each subscribed event (e.g., candidate_hired, application_updated); your endpoint must return HTTP 200 within a reasonable timeout
On each incoming request, extract the Signature header; its format is '<algorithm> <hex-digest>' — split on the space to isolate the digest portion
Compute HMAC-SHA256 of the raw request body using your secret key; in Python: hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
Compare your computed digest to the extracted digest using a constant-time comparison function to prevent timing attacks; reject the request with HTTP 403 if they do not match
Note: Greenhouse escapes Unicode characters in the JSON body before signing, so compute your HMAC on the raw bytes received — do not parse and re-serialize the JSON first
Known gotchas
Greenhouse signs the raw body bytes including any Unicode escaping; if you parse the JSON and re-serialize before hashing, the digest will not match
Webhook deliveries can arrive out of order or be retried; use the event timestamp in the payload to detect duplicates and process events idempotently
Only HTTPS endpoints are accepted; HTTP endpoints will be rejected at configuration time
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp