How HiredScore is Using Lunar to Enforce 429s and Unify Third Party API Consumption
We recently spoke to Avner Cohen, CISO and Head of DevOps at HiredScore, an HR tech company with over 170 employees, and growing over the past 10 years. HiredScore is bringing optimal hiring processes to Fortune 500 companies and big enterprises with the help of AI and aggregated data.
Bringing AI models to optimize vast hiring processes is a complex and interconnected feat. It requires an ongoing analysis of aggregated data and numerous integrations into a myriad of third-party vendors and HR systems—essentially to provide recruiters and hiring managers with action-driving recommendations that are bias-free and fully explainable.
Tell us about HiredScores’ R&D and who’s in charge of integrations
HiredScore’s 60-people R&D unit consists of the following four teams: Machine Learning and Data Science Teams, DevOps, Front and Backend team, and an Integrations Team.
HiredScore connects to many different HR systems. Consuming APIs on behalf of clients can be risky, and uniquely challenging. Our integrations team is in charge of connecting to these external systems. Our API calls and our product needs are non-standard, which is where we want to excel, hence we have an entire dedicated team for that.
What was compelling to HiredScore about Lunar’s offering?
From my experience, companies that scale don’t simply come up with an understanding of what they need to develop in terms of integrations and security overnight. It’s something that might even be more challenging to develop in retrospect.
For a company like HiredScore, which is consuming APIs on behalf of clients, the core of the product relies on integrations with APIs and external systems. There are many generations of connectors of integrations at HiredScore, and no two second integrations are alike. HiredScore constantly needs to be mindful of different scenarios like:
What happens when we get an invalid password error? How do we approach authentication with external systems? What happens when we get 429 errors after exceeding our limit or accidentally abusing an external system? What happens when we're consuming on behalf of a client and then encounter a bug or hit the call limit?
A while back I had an idea for a magical model that would help us manage our third-party consumption. The idea was to tunnel all third-party API calls through one API proxy, allowing HiredScore to include APIs of every generation. So, when we came across Lunar.dev it was like they’d read my mind. It was the magical model made real. Lunar’s solution offers one location, one constant proxy through which all the calls are tunneled and managed. It’s seamless, it provides common configuration capabilities, it’s self-managed and hosted, and it’s relevant for all the connectors in place.
Why use Lunar.dev’s Rate Limit policies and Observability Dashboard?
Our design partnership set sail five months ago. We started using Lunar for rate limiting and to manage all our connectors in one place via the Lunar API proxy. Our use case with rate limits is unique. As we connect across different HR systems, some older and more prone to downtime, we were then required to rate limit the number of calls to the older systems we integrate with.
In addition, we needed more observability but integrated within our existing stack so we implemented Lunar.dev’s visibility dashboard on top of the calls, with Grafana. We now get visibility via graphs showing the number of calls and fails, and the dashboard is configurable.
What surprised you about Lunar.dev and the solution?
We knew we were getting a team of experts in the field of third-party API consumption and this made all the difference.
There was also a great match in terms of the requirements—what we needed is exactly what Lunar.dev does, and we kicked off a design partnership process that felt useful and valuable and within our critical path.
As a seasoned CISO and engineer, what’s your tip on how to assess new software?
As a CISO, what I want to know is that my data and my client's data stay with me and that I am not adding any risks or expanding my attack surface by adding another new agent or third-party solution, and in this sense, Lunar is a great partner. It’s working within our VPC, the data is not going out anywhere and I can sleep better at night.
What’s your top tip for engineering teams relying on third-party APIs?
In short—if it’s not critical to your business IP, manage it with an external solution and make sure it’s replicable as “drag and drop.”
At most companies, what I refer to as “the plumbing of the API”, i.e., connecting, rate limiting, authentication, caching, and all this infrastructure plumbing is in high probability not the main business of the company. HiredScore for example is dealing with HR data, and this is what concerns us.
Not all companies need to know the HTTP, it’s just a protocol; they don’t need to understand the specific limitations a specific API has, and how to authenticate it. Some companies, HiredScore included, focus on enabling a “drag and drop” for the rate limit plumbing, and for caching, and then attend to the business logic.
Who should implement an infrastructure tool like Lunar.dev?
Some companies that integrate with other tools are always relying on more integrations, new ones, and new systems. Integrations then become part of the life cycle of such companies. If you’re a major company like Slack, you can create your own marketplace, and make integrations effortless. But if you’re not one of these companies, and you’re continuously adding new integrations you will probably want to try a tool like Lunar.
Using a tool like this is like outsourcing your API management. It means getting a central location where all the integrations happen. You’re getting a team of experts, and you’re always in the know as to what’s going on in this domain thanks to the management and observability capabilities you’re receiving.
Ready to Start your journey?
Manage a single service and unlock API management at scale