topic Re: Unable to validate signature on workflow webhook request in APIs & Integrations

Unable to validate signature on workflow webhook request

Paul-Harapiak — Wed, 27 Sep 2023 17:21:27 GMT

I've been through the docs, the other questions posted here, and I'm still unable to discover what I'm doing wrong. I have created a private app (id=2086776)

On my workflow's webhook definition, I've specified "Include request signature in header", and specified the id of my app
I'm using the "Test" button on the webhook editor pane, and ngrok to get to my local server.
the request comes to my server with a version header "v2", and both x-hubspot-signature and x-hubspot-signature-v3 values.
I'm calling the Hubspot Nodejs SDK method Signature.isValid(), with these values:
- {
  clientSecret: 'pat-na1-24***my private app access key',
  method: 'POST',
  requestBody: '{"email":"ph@test.com","phone":"+2223334444","orgType":"Carrier","lastName":"Hara","firstName":"Paul","companyName":"Sumac"}',
  signature: 'c174e6ffe4910dbbfe366a3c2afd499ef0c70e1c24824d317a1d1e81aa6c713f',
  signatureVersion: 'v2',
  timestamp: 1695833200131,
  url: 'https://6e49-199-91-115-68.ngrok-free.app/demo-api/users/create-demo-user'
  }

Can you spot my error?

More info:

I've also tried to verify the v3 signature, using the whole url, and just the "/demo-api/users/create-demo-user" part, but got no match
I have tried Signature.getSignature() with the above values, and get a different result, but if I pass that result into Signature.isValid, I get a passing result. (for both v2 and v3)

I'm wondering if I've misunderstood the use of private app keys and how they are used to generate the signature on the hubspot side.

The app number I've supplied for the webhook config matches my private app, and I've copied the Access token from my private app to use on my server as the clientSecret. (I've noticed an oddity: If I drop a couple digits off the "Hubspot App Id" value in the webhook config screen, and test, I don't get an error, and I get a different signature.)

Re: Unable to validate signature on workflow webhook request

Jaycee_Lewis — Thu, 28 Sep 2023 22:29:13 GMT

Hi, @Paul-Harapiak 👋 I did a bit of testing.

A few questions:

Have you opted your user or the entire portal into this beta?
Once opted in, when you navigate to Settings > Private Apps > Your App > the Auth tab, do you see both the Access token and Client secret options?

I ask because it looks like you've input your Access token and not the secret. I didn't have it in my portal until I opted myself in.

Talk soon! — Jaycee

Re: Unable to validate signature on workflow webhook request

Paul-Harapiak — Sun, 01 Oct 2023 04:34:33 GMT

Thank you, that did it for me. I was unaware of the beta program for using private apps in workflow webhooks. Once I enrolled I was able to see the secret key, and successfully use it to verify the webhook signature.

Re: Unable to validate signature on workflow webhook request

Jaycee_Lewis — Mon, 02 Oct 2023 14:17:41 GMT

Amazing! Thanks for letting us know — Jaycee