I have inherited a Hubspot app that I am trying to integrate with an external web application.
I have a workflow that is triggering a webhook request to my external API. I'm trying to validate the X-HubSpot-Signature in the POST request. The documentation says to create a SHA256 hash from a concatenation of APP Secret + HTTP method + URI + Request body.
The problem is that I have no idea what my app secret (or "client secret", as the documentation seems to use interchangeably) is. The documentation around that suggests looking in my App dashboard, which doesn't seem to exist anywhere on my dashboard. I can create a new app, but that doesn't help me with the one I already have.
Is it possible that the account I'm working in is not an "app" at all but rather, a "website"? If so, why is it allowing me to trigger a webhook with a signature at all? Has anyone else gone through this?
I contacted support, but they don't seem to know what an app secret is or where I would look for one. Any suggestions would be incredible, thanks!
It looks like you're looking to authenticate the requests to your workflow webhook for your app 202017 and in this case the app-secret is referring to the client secret of the app which you can locate in your HubSpot developer account > Click into app 202017:
I have a question about this. In my scenario, we don't have a developers account, we have webhooks in workflows in a non-developers account. The hook is sending a signed POST request to my endpoint. What is it using for "client-secret" and where can I see it?
If you're looking to verify the request signatures in your workflow webhooks, you'd need to own a developer account and get the client secret from the app.