Validating requests from HubSpot

Last updated May 14, 2019

Note: Requests sent by the Webhooks API use a different validation method. Please see the instructions in the Webhooks Overview for more details.

To ensure that the requests you're getting at your subscription or fetch URIs are actually coming from HubSpot, we populate an X-HubSpot-Signature header. The header is an SHA-256 hash built using the client secret of your app combined with details of the request.

To verify this signature, perform the following steps:

  • Create a string that concatenates together the following: App secret + http method + URI + request body (if present)
  • Create a SHA-256 hash of the resulting string.
  • Compare the hash value to the signature.
    • If they're equal than this request has passed validation.
    • If these values do not match, than this request may have been tampered with in-transit or someone may be spoofing requests to your endpoint.

Example for a GET request:

Source String: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyyGET
The resulting hash would be: eee2dddcc73c94d699f5e395f4b9d454a069a6855fbfa152e91e88823087200e

Example for a request with a body:

Source String: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyyPOST{"example_field":"example_value"}
The resulting hash would be: 9569219f8ba981ffa6f6f16aa0f48637d35d728c7e4d93d0d52efaa512af7900