range of IP addresses for custom code http requests

aaberni · ‎Jan 19, 2022

Hello,

I developed a custom code block that performs a REST api http request towards an internal web service whenever a contact satisfies some conditions. I need to find if there is a specific range of ip addresses from which I can expect the api call to be sent, so that I can allowlist them in my service.

I found in https://knowledge.hubspot.com/email/not-receiving-hubspot-system-or-notification-emails that the Marketing, Sales and Service Hubs all have specific sets of ip addresses but the Operations hub is not mentioned.

Moreover, I tested the implementation and the IP address from which I receive the requests is none of the ones that are listed in the link.

Is there some piece of documentation I am missing?

regards

jbogaert · ‎Jan 21, 2022

Hi there! I asked one of our experts and unfortunately what you suggested (using a shared secret value) is probably your best bet, unless you’re able to use the webhook action to make the request and then add the response body from the webhook action as an input to the custom code action.

The email IPs are shared for a very specific use case, but they’re a tiny subset of the IP addresses that HubSpot actually uses. HubSpot uses hundreds of IP addresses, and they change all the time, so publishing a full list and keeping it up to date wouldn’t be possible.

Join us on March 27th at 12 PM for the Digital Essentials Lab, an interactive session designed to redefine your digital strategy!
Engage with expert Jourdan Guyton to gain actionable insights, participate in live Q&A, and learn strategies to boost your business success.
Don't miss this opportunity to connect and grow—reserve your spot today!

jbogaert · ‎Jan 20, 2022

Hi @aaberni

Unfortunately, HubSpot does not publish IP addresses or IP ranges for requests coming from its server, since they change so frequently. If you’re looking to verify that a request is coming from HubSpot, I’d recommend taking a look at our docs on validating requests from HubSpot.

Hope this helps!

Join us on March 27th at 12 PM for the Digital Essentials Lab, an interactive session designed to redefine your digital strategy!
Engage with expert Jourdan Guyton to gain actionable insights, participate in live Q&A, and learn strategies to boost your business success.
Don't miss this opportunity to connect and grow—reserve your spot today!

aaberni · ‎Jan 20, 2022

Hello @jbogaert ,

actually the two headers referred to in the doc pages you linked (X-HubSpot-Signature and X-HubSpot-Signature-Version) are not automatically populated when the requests are performed by a custom code block in a workflow. I suppose I could share a secret key between my external rest endpoint and hubspot and use that secret to compute a digest of the request payload and put that digest in a header field that I could call "X-HubSpot-Signature". In that case I would be reproducing the hubspot native functionality from whithin my custom code block, and that seems like a redundancy I could go without.

I don't get why the ip addresses from which marketing emails are coming ( https://knowledge.hubspot.com/email/contacts-not-receiving-your-marketing-emails ) are published but the ones I need are not.

regards

⚙ Operations Hub