For making and verifying requests, you need these values:
secret
- received from Recruit when approved as a Recruit partner. See Getting Started: Integration Partners.api-key
- received from a Recruit customer when the integration is activated.
Verify a request from Recruit
When Recruit makes a request to an endpoint that you provide you must verify the request.
-
The
Authorization
header is included with the HTTP requests using the following syntax:
Authorization: Bearer <token>
-
To decode the
token
you received, use yoursecret
with a JWT library of your choice. Many JWT libraries are available online for this purpose. Ensure that the decoding process verifies both the signature and the expiration date. If the decoding is successful, you can extract theapi-key
from the decoded payload; it is found in the "iss" field. Theapi-key
serves as the unique identifier for the company account that initiated the request.
See the following sample code for token decoding:
import jwt
API_SECRET = 'API_SECRET'
try:
decoded = jwt.decode(token, API_SECRET, options={"verify_signature": True}, algorithms='HS256')
except jwt.exceptions.ExpiredSignatureError:
print("Signature expired") # You have 5 minutes to decode the token
except jwt.exceptions.InvalidSignatureError:
print("Signature verification failed")
else:
api_key = decoded['iss'] # this is the identifier of the Recruit account that made the request
Make a request to Recruit
To make a request to Recruit you must authorize the request.
-
Generate a
token
by encoding the account'sapi-key
with yoursecret
using JWT. You can use one of the many JWT libraries available, see code examples here. -
Include the
Authorization
header using the syntax:
Authorization: Bearer <token>