APIs & Integrations

Search APIs & Integrations for solutions or ask a question
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
story2dev

‎Sep 6, 2019 9:03 PM

Member

Parsing webhook signature with app secret

I have inherited a Hubspot app that I am trying to integrate with an external web application.

 

I have a workflow that is triggering a webhook request to my external API. I'm trying to validate the X-HubSpot-Signature in the POST request. The documentation says to create a SHA256 hash from a concatenation of APP Secret + HTTP method + URI + Request body.

 

The problem is that I have no idea what my app secret (or "client secret", as the documentation seems to use interchangeably) is. The documentation around that suggests looking in my App dashboard, which doesn't seem to exist anywhere on my dashboard. I can create a new app, but that doesn't help me with the one I already have. 

 

Is it possible that the account I'm working in is not an "app" at all but rather, a "website"? If so, why is it allowing me to trigger a webhook with a signature at all? Has anyone else gone through this? 

 

I contacted support, but they don't seem to know what an app secret is or where I would look for one. Any suggestions would be incredible, thanks!

Webhooks
0 Upvotes
3 Replies 3
WendyGoh
HubSpot Employee

‎Sep 9, 2019 2:56 AM

HubSpot Employee

Parsing webhook signature with app secret

Hi @story2dev,

 

I hope all is well with you 😄

 

It looks like you're looking to authenticate the requests to your workflow webhook for your app 202017 and in this case the app-secret is referring to the client secret of the app which you can locate in your HubSpot developer account > Click into app 202017:

clientsecret.png

 

You can also refer to this documentation here: How do I create an app in HubSpot?

 

Hope this helps to further clarify things!

0 Upvotes
joesantos386

‎Sep 16, 2020 4:27 PM

Member

Parsing webhook signature with app secret

I have a question about this. In my scenario, we don't have a developers account, we have webhooks in workflows in a non-developers account. The hook is sending a signed POST request to my endpoint. What is it using for "client-secret" and where can I see it?

0 Upvotes
WendyGoh
HubSpot Employee

‎Sep 16, 2020 10:28 PM

HubSpot Employee

Parsing webhook signature with app secret

Hey @joesantos386,

 

If you're looking to verify the request signatures in your workflow webhooks, you'd need to own a developer account and get the client secret from the app. 

 

Here's the article that goes more in details: Use webhooks with HubSpot workflows

0 Upvotes
Sunny

Sign up for the Developer Newsletter

Fresh content delivered to your inbox every month.
Parsing webhook signature with app secret
Developers
Sep 16, 2020