I've also tried to verify the v3 signature, using the whole url, and just the "/demo-api/users/create-demo-user" part, but got no match
I have tried Signature.getSignature() with the above values, and get a different result, but if I pass that result into Signature.isValid, I get a passing result. (for both v2 and v3)
I'm wondering if I've misunderstood the use of private app keys and how they are used to generate the signature on the hubspot side.
The app number I've supplied for the webhook config matches my private app, and I've copied the Access token from my private app to use on my server as the clientSecret. (I've noticed an oddity: If I drop a couple digits off the "Hubspot App Id" value in the webhook config screen, and test, I don't get an error, and I get a different signature.)
Unable to validate signature on workflow webhook request
Thank you, that did it for me. I was unaware of the beta program for using private apps in workflow webhooks. Once I enrolled I was able to see the secret key, and successfully use it to verify the webhook signature.