Authorization

For making and verifying requests, you need these values:

  • secret - received from Recruit when approved as a Recruit partner. See Getting Started: Integration Partners.
  • api-key - received from a Recruit customer when the integration is activated.

Verify a request from Recruit

When Recruit makes a request to an endpoint that you provide you must verify the request.

  1. The Authorization header is included with the HTTP requests using the following syntax:
    Authorization: Bearer <token>

  2. To decode the token you received, use your secret with a JWT library of your choice. Many JWT libraries are available online for this purpose. Ensure that the decoding process verifies both the signature and the expiration date. If the decoding is successful, you can extract the api-key from the decoded payload; it is found in the "iss" field. The api-key serves as the unique identifier for the company account that initiated the request.

See the following sample code for token decoding:

import jwt

API_SECRET = 'API_SECRET'

try:
    decoded = jwt.decode(token, API_SECRET, options={"verify_signature": True}, algorithms='HS256')
	
except jwt.exceptions.ExpiredSignatureError:
    print("Signature expired")  # You have 5 minutes to decode the token
	
except jwt.exceptions.InvalidSignatureError:
    print("Signature verification failed")
	
else:
    api_key = decoded['iss']  # this is the identifier of the Recruit account that made the request

Make a request to Recruit

To make a request to Recruit you must authorize the request.

  1. Generate a token by encoding the account's api-key with your secret using JWT. You can use one of the many JWT libraries available, see code examples here.

  2. Include the Authorization header using the syntax:
    Authorization: Bearer <token>