webhooks

Programmatic access — API keys and outbound webhooks.

rejento exposes a small read-only HTTP API for integrating with your ATS, BI dashboards, or internal tooling, plus outbound webhooks for event-driven workflows. Both unlock on Team and above (see Plans & limits).

Read-only API

Mint a key in Settings → API keys. The key has a public key_id + a one-time-shown secret. Send the secret as a Authorization: Bearer rk_… header on every request.

Available endpoints

GET /api/v1/candidates — paginated list with the same filters as the UI
GET /api/v1/candidates/:id — full candidate + top matched jobs
GET /api/v1/jobs — paginated job list with status filter
GET /api/v1/jobs/:id — full job + matched candidates + broadcasts
GET /api/v1/interviews — scheduled interviews with candidate + job joins
GET /api/v1/matches — ranked candidate × job pairs

Write endpoints are not exposed via API keys today. Pipeline state changes go through the app (or webhooks). If you need write access, open a ticket.

Outbound webhooks

Subscribe a URL to specific event types via Settings → Webhooks. We POST a JSON body + an X-Rejento-SignatureHMAC-SHA256 of the body signed with your endpoint's secret. Verify the signature before processing.

Event types

candidate.created — a new candidate filed from inbound email
candidate.matched — a candidate × job match was scored ≥ 70
interview.scheduled — interview row created (Teams meeting + invite)
interview.completed — status moved to completed
candidate.status_changed — manual or automated status update
ai_call.completed — AI voice call ended (any purpose)

Delivery semantics

Exponential backoff: 30s, 2m, 10m, 1h, 6h, 24h.
HTTP 2xx = success. Anything else = retry until the table cap (5 attempts).
Order is not guaranteed across event types — use the timestamp in the payload.
Idempotency: every delivery includes X-Rejento-Delivery-Id — dedupe on it.

Signature verification (Node)

import crypto from 'node:crypto'

function verify(rawBody: string, signature: string, secret: string): boolean {
  const expected = crypto.createHmac('sha256', secret)
    .update(rawBody).digest('hex')
  return crypto.timingSafeEqual(
    Buffer.from(signature, 'hex'),
    Buffer.from(expected, 'hex'),
  )
}

Rate limits

100 requests per minute per API key. 429 with Retry-After when exceeded. If you need a higher cap, ping us.

Need help? Open the support assistant from the bell-icon in your workspace, or email support@rejento.com.