Validating the v2 request signature

Last updated August 13, 2019

See this page for more details about validation, and for details on validating other versions of the signature.

When the request from HubSpot is sent with the X-HubSpot-Signature-Version header set to v2, the X-HubSpot-Signature header will be an SHA-256 hash built using the client secret of your app combined with details of the request.

To verify this signature, perform the following steps:

  • Create a string that concatenates together the following: App secret + http method + URI + request body (if present)
  • Create a SHA-256 hash of the resulting string.
  • Compare the hash value to the signature.
    • If they're equal then this request has passed validation.
    • If these values do not match, then this request may have been tampered with in-transit or someone may be spoofing requests to your endpoint.

Note: The URI used to build the source string must exactly match the original request, including the protocol. If you're having trouble validating the signature, ensure that any query parameters are in the exact same order they were listed in the original request.

Example for a GET request:

Source String:
yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyyGEThttps://www.example.com/webhook_uri
The resulting hash would be:
eee2dddcc73c94d699f5e395f4b9d454a069a6855fbfa152e91e88823087200e

Example for a request with a body:

Source String:
yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyyPOSThttps://www.example.com/webhook_uri{"example_field":"example_value"}
The resulting hash would be:
9569219f8ba981ffa6f6f16aa0f48637d35d728c7e4d93d0d52efaa512af7900