Validating requests from HubSpot
To ensure that the requests that your integration is receiving from HubSpot are actually coming from HubSpot, several headers are populated in the request. You can use these headers, along with fields of the incoming request, to verify the signature of the request.
The method used to verify the signature depends on the version of the signature:
- To validate a request using the latest version of the HubSpot signature, use the
X-HubSpot-Signature-V3
header and follow the associated instructions for validating the v3 version of the signature. - For backwards compatibility, requests from HubSpot also include older versions of the signature. To validate an older version of the signature, check the
X-HubSpot-Signature-Version
header, then follow the associated instructions below based on whether the version isv1
orv2
.
In the instructions below, learn how to derive a hash value from your app's client secret and the fields of an incoming request. Once you compute the hash value, you'll compare it to the signature. If the two are equal, then the request has passed validation. Otherwise, the request may have been tampered with in transit or someone may be spoofing requests to your endpoint.
If your app is subscribed to CRM object events via the webhooks API, requests from HubSpot will be sent with the X-HubSpot-Signature-Version
header set to v1
. The X-HubSpot-Signature
header will be an SHA-256 hash built using the client secret of your app combined with details of the request.
To verify this version of the signature, perform the following steps:
- Create a string that concatenates together the following:
Client secret
+request body
(if present) - Create a SHA-256 hash of the resulting string.
- Compare the hash value to the value of the
X-HubSpot-Signature
header:- If they're equal then this request has passed validation.
- If these values do not match, then this request may have been tampered with in-transit or someone may be spoofing requests to your endpoint.
Example for a request with a body:
v1 request signature examples:
The resulting hash would be:232db2615f3d666fe21a8ec971ac7b5402d33b9a925784df3ca654d05f4817de
If your app is handling data from a webhook action in a workflow, or if you're returning data for a custom CRM card, the request from HubSpot is sent with the X-HubSpot-Signature-Version
header set to v2
. The X-HubSpot-Signature
header will be an SHA-256 hash built using the client secret of your app combined with details of the request.
To verify this signature, perform the following steps:
- Create a string that concatenates together the following:
Client secret
+http method
+URI
+request body
(if present) - Create a SHA-256 hash of the resulting string.
- Compare the hash value to the signature.
- If they're equal then this request has passed validation.
- If these values do not match, then this request may have been tampered with in-transit or someone may be spoofing requests to your endpoint.
Notes:
- The URI used to build the source string must exactly match the original request, including the protocol. If you're having trouble validating the signature, ensure that any query parameters are in the exact same order they were listed in the original request.
- The source string should be UTF-8 encoded before calculating the SHA-256 hash.
Example for a GET request:
Client secret
: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyyHTTP Method
: GETURI
: https://www.example.com/webhook_uri
Example for a request with a body:
Client secret
: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyyHTTP Method:
POSTURI
: https://www.example.com/webhook_uriRequest body
:{"example_field":"example_value"}
The X-HubSpot-Signature-v3
header will be an HMAC SHA-256 hash built using the client secret of your app combined with details of the request. It will also include a X-HubSpot-Request-Timestamp
header.
When validating a request using the X-HubSpot-Signature-v3 header, you'll need to
- Reject the request if the timestamp is older than 5 minutes.
- In the request URI, decode any of the URL-encoded characters listed in the table below. You do not need to decode the question mark that denotes the beginning of the query string.
Encoded value | Decoded value |
---|---|
%3A |
: |
%2F |
/ |
%3F |
? |
%40 |
@ |
%21 |
! |
%24 |
$ |
%27 |
' |
%28 |
( |
%29 |
) |
%2A |
* |
%2C |
, |
%3B |
; |
- Create a utf-8 encoded string that concatenates together the following:
requestMethod
+requestUri
+requestBody
+ timestamp. The timestamp is provided by theX-HubSpot-Request-Timestamp
header. - Create an HMAC SHA-256 hash of the resulting string using the application secret as the secret for the HMAC SHA-256 function.
- Base64 encode the result of the HMAC function.
- Compare the hash value to the signature. If they're equal then this request has been verified as originating from HubSpot. It's recommended that you use constant-time string comparison to guard against timing attacks.
Thank you for your feedback, it means a lot to us.