When creating a webhook via the Lever Data API or Settings UI, store the signatureToken returned in the creation response — this is your signing secret
Each webhook POST payload contains three top-level fields relevant to verification: token (the webhook identifier), triggeredAt (Unix millisecond timestamp), and signature (the expected HMAC digest)
Concatenate the token value and the triggeredAt value as a plain string with no separator: concatenated = token + triggeredAt
Compute HMAC-SHA256 of the concatenated string using your signatureToken as the key; hex-encode the digest
Compare your computed hex digest to the signature field in the payload using a constant-time comparison; reject with HTTP 403 if they differ
Lever requires HTTPS endpoints; configure your server to accept only TLS connections before registering the webhook URL
Known gotchas
The signature is computed over the concatenation of token and triggeredAt, not over the full request body — hashing the raw body will always produce a mismatch
The signatureToken is only returned at webhook creation time; if you lose it you must delete and recreate the webhook to get a new token
Lever webhooks carry candidate PII; ensure your receiving endpoint enforces TLS and stores payloads securely in compliance with your data-handling obligations
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp