feat(ashby): add webhook triggers with automatic lifecycle management

[waleedlatif1]

Summary

• Add 7 Ashby webhook triggers (application submitted, candidate stage change, candidate hired, candidate deleted, job created, offer created, generic webhook)
• Automatic webhook lifecycle management — webhooks are created/deleted in Ashby via API when triggers are saved/removed
• Add Ashby webhook input formatter for proper payload transformation
• Update Ashby docs to mention webhook trigger support
• Add manual docs descriptions for Fathom, Evernote, and Obsidian integrations

Type of Change

• New feature

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 12, 2026 10:42pm

[cursor]

PR Summary

Medium Risk
Adds new Ashby webhook trigger types and server-side logic to create/delete external Ashby webhooks via API keys, which can impact workflow triggering and external subscription lifecycle if misconfigured.

Overview
Enables Ashby webhook triggers (application submitted, candidate stage change/hired/deleted, job created, offer created) and wires them into the Ashby block UI/registry so workflows can start from Ashby events.

Adds automatic Ashby webhook lifecycle management in provider-subscriptions.ts, creating subscriptions via webhook.create and cleaning them up via webhook.delete, persisting the returned externalId in provider config and adding Ashby payload normalization in webhook input handling.

Updates docs to mention Ashby trigger support and adds richer intro content for evernote, fathom, and obsidian tool pages.

^{Written by Cursor Bugbot for commit cfc8e71. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds six Ashby webhook triggers (Application Submitted, Candidate Stage Change, Candidate Hired, Candidate Deleted, Job Created, Offer Created) with fully automatic lifecycle management — Sim creates the webhook in Ashby when a trigger is saved and deletes it when removed. The implementation follows existing provider patterns, registers triggers in TRIGGER_REGISTRY, spreads body.data fields to the top level in formatWebhookInput, and correctly handles all error/edge cases that were raised in prior review rounds.

Key changes:

• provider-subscriptions.ts: New createAshbyWebhookSubscription and deleteAshbyWebhook functions using Ashby's Basic Auth, with correct three-branch delete logging and TCP-connection-safe body cancellation.
• utils.server.ts: Ashby-specific formatWebhookInput branch that spreads body.data to the top level and places action after the spread to avoid override issues.
• triggers/ashby/utils.ts: Output schemas for all six event types, with paramVisibility: 'user-only' on the API key field and clarified decidedAt description.
• All six trigger config files and their registration in TRIGGER_REGISTRY and AshbyBlock.
• Docs updated for Ashby, Fathom, Evernote, and Obsidian.

Remaining concern:

• webhook.create does not pass a secretToken, so Ashby cannot sign deliveries and incoming payloads cannot be cryptographically verified. The UUID-based URL path offers some obscurity, but other providers in this codebase (e.g. Calendly) generate and persist a webhook secret for proper HMAC-SHA256 verification.

Confidence Score: 4/5

• Safe to merge with the understanding that webhook payload origin cannot be cryptographically verified until a secretToken is added.
• The implementation is well-structured, follows established patterns, and all issues raised in prior review rounds have been addressed. The one remaining gap — no Ashby webhook secretToken for HMAC signature verification — is a security improvement rather than a blocker, since the UUID-based webhook URL already provides a degree of protection. Everything else (error handling, logging, body cancellation, output schemas, credential visibility) is correct.
• apps/sim/lib/webhooks/provider-subscriptions.ts — the createAshbyWebhookSubscription function should ideally generate and persist a secretToken for payload verification.

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/provider-subscriptions.ts	Adds createAshbyWebhookSubscription and deleteAshbyWebhook functions with well-structured error handling, three-branch delete logging, and body cancellation. Main concern: no secretToken is generated for signature verification on incoming payloads.
apps/sim/lib/webhooks/utils.server.ts	Adds Ashby-specific formatWebhookInput branch that spreads body.data to the top level, fixes the action-override ordering from previous review, and preserves the original data as a nested key. Clean implementation.
apps/sim/triggers/ashby/utils.ts	Defines all Ashby output schemas, trigger options, setup instructions, and apiKey extra field. All issues from prior review (stageType field, hiringTeam, applicationSubmit sub-fields, decidedAt description, paramVisibility) have been addressed.
apps/sim/triggers/registry.ts	Adds all six Ashby trigger IDs to TRIGGER_REGISTRY in proper alphabetical order. No issues.
apps/sim/blocks/blocks/ashby.ts	Adds triggers config with all six Ashby trigger IDs, and spreads subBlocks from each getTrigger call. getTrigger throws on unknown IDs so this is safe at load time.
apps/sim/triggers/ashby/application_submit.ts	Primary Ashby trigger with dropdown (includeDropdown: true) and full output schema including candidate, currentInterviewStage, and job sub-fields.
apps/sim/triggers/ashby/index.ts	Clean barrel export for all six Ashby triggers. No issues.
apps/sim/triggers/ashby/candidate_delete.ts	Defines the Candidate Deleted trigger with minimal output schema (candidate.id only), matching the sparse payload Ashby sends on deletion. No issues.
apps/sim/triggers/ashby/candidate_hire.ts	Defines the Candidate Hired trigger with full application output schema. No issues.
apps/sim/triggers/ashby/candidate_stage_change.ts	Defines the Candidate Stage Change trigger with full application output schema. No issues.
apps/sim/triggers/ashby/job_create.ts	Defines the Job Created trigger with job output schema including status and employmentType. No issues.
apps/sim/triggers/ashby/offer_create.ts	Defines the Offer Created trigger. decidedAt description has been updated to clarify it is typically null at creation time. No issues.
apps/docs/content/docs/en/tools/ashby.mdx	Adds accurate one-paragraph description of webhook trigger support with permission requirements. No issues.

Sequence Diagram

sequenceDiagram
    participant User
    participant Sim UI
    participant Sim Server
    participant Ashby API
    participant Workflow Engine

    User->>Sim UI: Selects Ashby trigger type & enters API key
    Sim UI->>Sim Server: Save trigger configuration
    Sim Server->>Ashby API: POST /webhook.create (requestUrl, webhookType, Basic Auth)
    Ashby API-->>Sim Server: { results: { id: webhookId } }
    Sim Server->>Sim Server: Store externalId in providerConfig
    Sim Server-->>Sim UI: Trigger saved successfully

    Note over Ashby API, Sim Server: On recruiting event (e.g. applicationSubmit)

    Ashby API->>Sim Server: POST /api/webhooks/trigger/{uuid-path}
    Sim Server->>Sim Server: formatWebhookInput — spread body.data to top level
    Sim Server->>Workflow Engine: Execute workflow with formatted payload

    User->>Sim UI: Remove trigger
    Sim UI->>Sim Server: Delete trigger
    Sim Server->>Ashby API: POST /webhook.delete { webhookId: externalId }
    Ashby API-->>Sim Server: 200 OK (or 404 if already removed)
    Sim Server-->>Sim UI: Trigger removed

Loading

_{Last reviewed commit: cfc8e71}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[waleedlatif1]

All items from the latest review addressed in c14fabb:

1. paramVisibility: 'user-only' — added to the apiKey field.
2. stageType vs type — removed stageType entirely. The actual Ashby field is type, which conflicts with TriggerOutput.type (a reserved property). A renamed field would return undefined at runtime. The id and title on currentInterviewStage are sufficient.
3. Unguarded .json() parse — added .catch(() => ({})) fallback to match the pattern in deleteAshbyWebhook.
4. secretToken — verified optional per Ashby API docs. No change needed.
5. jobCreate — verified as a valid webhookType enum value. No change needed.
6. candidateStageChange outputs — also restructured to match actual Ashby application payload (removed fabricated stageChange object).

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

[greptile-apps]

No webhook payload origin verification

webhook.create is called with only requestUrl and webhookType. Ashby's API also accepts a secretToken parameter: when set, Ashby signs every delivery with HMAC-SHA256 and includes the signature in the X-Ashby-Signature header. Without it, any actor who discovers the webhook URL (which is a UUID path but still guessable or leak-able) can POST an arbitrary payload and trigger workflows.

Other providers in this codebase — for example, Calendly — generate and persist a webhookSecret so incoming requests can be verified against the signature header before the payload is acted upon. Consider adopting the same approach here: generate a random token at creation time, include it in requestBody, store it alongside externalId in providerConfig, and verify the X-Ashby-Signature header in formatWebhookInput or the processor before accepting the payload.