Now Live: Webhook signature versioning

zwolfson
HubSpot Employee

What’s happening?

Starting today, we're including an additional header with any requests sent from HubSpot. This header, named X-HubSpot-Signature-Version, will indicate which version of the signature is included in this request. This new header will make it easier to determine which method should be used to validate the request signature included in the X-HubSpot-Signature header. This will also make it possible to programmatically determine which validation method should be used for any given request.

This header will be included for requests sent by HubSpot, including requests made for webhooks, CRM Extensions, and Workflow Extensions.

What’s changing?

Please note: The method used to validate the request signature is not changing for any requests. The existing method that you're using to validate the signature should still be used for any requests you're currently receiving from HubSpot. This change only adds an additional header that can be used to programmatically determine which validation method should be used.

The signature versions are defined as follows:

  • v1 - an SHA-256 hash built using the client secret of your app and the request body - Used with webhooks.
  • v2 - an SHA-256 hash built using the client secret of your app, the HTTP method, request URI, and request body - Used with CRM Extensions and Workflow Extensions.

When is this happening?

This new header is currently live.

If you have any questions please let us know by replying to this forum thread.

0 Replies

No replies on this post just yet

No one has replied to this post quite yet. Check back soon to see if someone has a solution, or submit your own reply if you know how to help! Karma is real.

Reply to post

Need help replying? Check out our Community Guidelines

0 Replies 0