Open recruiter verification protocol.
Generate, publish, and verify hiring.txt files to protect candidates from recruitment fraud.
Website · Protocol Spec · Architecture
A plain text file that companies publish at /.well-known/hiring.txt to declare their legitimate recruitment practices — official domains, channels, application URLs, and things they'll never ask candidates to do.
# https://acme.com/.well-known/hiring.txt
Canonical-Domains: acme.com, careers.acme.com
Recruiting-Channels: https://linkedin.com/company/acme
Application-URLs: https://careers.acme.com/jobs
Never: payment, crypto, gift-cards, whatsapp-first-contact
Verify-Contact: mailto:verify@acme.com
Report-Abuse: mailto:abuse@acme.com
Expires: 2027-06-01T00:00:00Z
Think robots.txt for crawlers, security.txt for vulnerabilities, ads.txt for ad fraud — hiring.txt for recruitment.
- $501M lost to job scams in the US in 2024 (FTC)
- Job scam reports doubled in 2025 (BBB)
- CrowdStrike's recruitment team was impersonated to install crypto miners
- North Korea's Lazarus Group runs fake developer interviews to deploy malware
There is no standard way for candidates to verify whether a recruiter actually represents a company. hiring.txt fixes that.
| Feature | Description |
|---|---|
| Generator | Interactive form → live hiring.txt preview with syntax highlighting |
| Verifier | Enter company + recruiter email → VERIFIED / UNKNOWN / SUSPICIOUS verdict |
| Heuristics | Detects payment requests, crypto language, lookalike domains, free email providers |
| Email Auth | Paste Authentication-Results headers → DKIM/SPF/DMARC verification |
| 6 Languages | English, Türkçe, Español, Deutsch, Français, العربية (RTL supported) |
| Zero Tracking | No backend, no analytics, no cookies. Everything runs in the browser. |
hireguard/
├─ packages/core/ # @hireguard/core — pure TS: parser, serializer, validator, heuristics, verifier
├─ apps/web/ # @hireguard/web — React SPA (Vite + TypeScript + CSS Modules)
├─ docs/ # Protocol spec, architecture, JSON schema
├─ Dockerfile # Multi-stage: Node 22 → Nginx Alpine (~25MB)
└─ nginx.conf # Gzip, CORS, security headers, SPA fallback
# Prerequisites: Node ≥18, pnpm
# Install dependencies
pnpm install
# Run dev server
pnpm dev
# Run tests (52 unit tests)
pnpm test
# Production build
pnpm builddocker build -t hireguard .
docker run -p 8080:8080 hireguardThe production image is ~25MB (Nginx Alpine) and listens on port 8080.
- Generate your file at hireguard.org
- Place it at
/.well-known/hiring.txton your domain - Add CORS header — required for browser-based verification:
Access-Control-Allow-Origin: *
Server configs for Nginx, Apache, Caddy, and static hosts are available in the Adopt guide.
| Document | Description |
|---|---|
| Protocol Spec | Wire format, parsing rules, verification logic, Never tokens, ADRs |
| Architecture | Technical architecture, i18n strategy, verifier engine, deploy |
| Tier 0 Schema | JSON Schema for the hiring.txt data model |
- Build: Vite
- UI: React 18 + TypeScript
- Routing: React Router v7
- i18n: react-i18next (6 languages × 6 namespaces)
- Styling: CSS Variables + CSS Modules
- Testing: Vitest (52 tests)
- Deploy: Docker (Nginx Alpine) on DigitalOcean
hiring.txt is an open protocol. Contributions welcome:
- Company registry: Add companies to
apps/web/public/data/companies.json - Translations: Add or improve translations in
apps/web/src/locales/ - Never tokens: Propose new well-known tokens via PR
- Heuristics: Improve scam detection patterns in
packages/core/src/heuristics.ts
MIT
hiring.txt is an open protocol. HireGuard provides the tooling. There is no paid plan. There never will be.