Hires API Overview

This API enables you to be notified when a candidate is hired on Comeet. This is useful for HRIS and talent management systems that manage employee data.

To begin the integration process, contact us at [email protected].

Webhook for Hire Event

The integration uses the form of a webhook. Defining the webhook requires two values:

  • Endpoint URL – Each time a hire is made in Comeet, the new employee’s data is sent via a POST request to this specified endpoint URL over HTTPS. If you plan to support multiple companies using Comeet, make sure to provide a URL that includes a unique identifier of the user or company.
  • Secret Key – When defined, the key is used to generate a digital signature for verification, see details below.

To configure this integration in Comeet, a user with Admin privileges specifies these values in the Integrations page.

Verify the request

All API calls use HTTPS and should be verified by your server.

  1. To verify a request you need the Secret Key that was specified when setting up the integration in Comeet.
  2. Comeet will add the signature header to the HTTP request.
  3. Verify the request by generating a digital signature using the the SHA256 algorithm on the payload of the request with the Secret Key that was specified. The result must be identical to the signature header. You can use one of the many JWT libraries available online. If the values are not the same then fail the request with an unauthorized response (HTTP 401).
SECRET_KEY = 'XXXX'  # the key that was specified on the integration page in Comeet
request_signature_header_value = request.META['HTTP_SIGNATURE']  # the signature sent with the request
request_payload = request.body  # the payload sent in the request

# generate the signature value:
import hmac
import hashlib
alg = hashlib.sha256
local_signature_value = hmac.new(SECRET_KEY, msg=request_payload, digestmod=alg).hexdigest()
full_local_vlaue = "sha256 {}".format(local_signature_value)

# now, compare values:
if (full_local_vlaue == request_signature_header_value):
      # we are good to go
     # not the same signature, HTTP 401 response is expected and the process should be stopped