June 29th, 2026

Verify Webhook Payloads with HMAC Signatures

Why

Anyone who knows your webhook URL can send fake requests to it. Signature verification lets you confirm a payload actually came from Hirevire before you act on it.

What's new

Every webhook request now includes an X-Hirevire-Signature header (t=timestamp,sha256=hmac) and an X-Hirevire-Timestamp header, generated from a signing secret you control. Verify them on your end to reject spoofed or tampered payloads.

Where

  • Job Settings β†’ Advanced Settings β†’ Webhooks

How it works

  1. Open a job's Webhook settings and expand Advanced Settings

  2. Under Signing secret, click Generate (or paste your own secret), then Save

  3. On your endpoint, compute the HMAC-SHA256 of the timestamp, a dot, then the raw request body, and compare the hex digest against the signature in X-Hirevire-Signature

Notes

  • Available on Agency and Platform plans only

  • Each job has its own signing secret

  • Leave the secret blank to disable signing, existing webhooks keep working without it