Help Center · API & Webhooks

Setting up webhooks

Receive real-time notifications when candidates submit assessments.

Pro Updated May 8, 2026

Webhooks fire HTTP POSTs to your URL whenever a submission completes. Pair this with the API to react to results in your own tooling. Available on Pro and Enterprise.

Register a webhook

From Settings » Webhooks, click New Webhook. Enter your endpoint URL (must be HTTPS), pick the events to subscribe to, and click Save. We generate a signing secret and show it once - copy it now and store it where your endpoint can read it.

Verifying signatures

Every request includes an X-Pulsera-Signature header. Compute HMAC-SHA256 of the raw request body using your signing secret and compare to the header value. Reject requests that do not match.

// Node.js example
const sig = req.headers['x-pulsera-signature'];
const expected = crypto.createHmac('sha256', SECRET)
                       .update(req.rawBody).digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) {
    return res.status(401).end();
}

Retries and DLQ

If your endpoint returns 5xx (or times out after 10s), we retry with backoff: 60s, 5m, 30m, 2h, 12h. After 5 failed attempts the delivery moves to the dead-letter queue and we email the org owner. You can replay DLQ items from the webhook page.

Security

Webhook URLs must use HTTPS and resolve to a public IP. We block requests to private IP ranges to prevent SSRF. Signing secrets are encrypted at rest with AES-256-GCM.

Was this article helpful?

If something is missing or wrong, let us know.

Send feedback

More in API & Webhooks

Getting an API keyPro

Issue an API key to call the Pulsera Assess REST API from your own systems.