We allow you to generate a secret key for the subscription. You can use it to verify the author of callback messages. When you
have a secret key already defined - a creation of new one will make old one deprecated - it will be still active for 24 hours
though. You can have up to 16 non-expired secret keys.
A signature will be included in header smartrecruiters-signature
of callback request. Additionally we will send
smartrecruiters-timestamp
header with timestamp (seconds) of request.
smartrecruiters-signature
header value has the following format:
$SIGNATURE_SCHEMA=$SIGNATURE_1;$SIGNATURE_SCHEMA=$SIGNATURE_2...
As you may notice there may be multiple signatures included in the header. It can be caused by one or both:
- having multiple active keys
- smartrecruiters providing multiple signatures per key with different signature schemes. We may use it in the
future to deliver new algorithm of signature creation without breaking backward compability.
Every segment of header value is delimited by;
character
Currently, we support and sent following signature ($SIGNATURE_SCHEMA
):
1) v1
v1
Signature calculated using HMAC with SHA256 algorithm. Hash should be calculated from following elements
concatenated by the .
character:
smartrecruiters-timestamp
header value- request body
event-id
header valueevent-name
header valueevent-version
header valuelink
header value
Order of this elements is important. In absence of header please use an empty string as its value.
For example assume we have:
- One active secret key: HeBVky2bccvvkcXPimH8c
- Callback request:
- headers:
- content-type: application/json
- smartrecruiters-signature: "v1=2e9291f10d44ca10204a4cd81b05d73b6a316b2b605d4e2e0e0b37b40198ce1f"
- smartrecruiters-timestamp = "1574080897"
- event-id = "123"
- link = "http://smartrecruiters.com/endpoint; rel=self"
- event-name = "application.created"
- event-version = "v201910"
- body: {"job_id":"jid","candidate_id": "cid"}
- headers:
hash should be calculated from value:
1574080897.{"job_id":"jid","candidate_id":"cid"}.123.application.created.v201910.<http://smartrecruiters.com/endpoint>; rel=self
and after using HMAC and SHA256 it should give you hash : 2e9291f10d44ca10204a4cd81b05d73b6a316b2b605d4e2e0e0b37b40198ce1f,
so that smartrecruiters-signature
header in the callback request will have value:
v1=2e9291f10d44ca10204a4cd81b05d73b6a316b2b605d4e2e0e0b37b40198ce1f