APIs & Integrations

Search APIs & Integrations for solutions or ask a question
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
alvinlzg

‎Aug 7, 2019 4:38 AM

Participant

Webhook request body and validating hash

SOLVE

Hi all, 

I'm currently using workflow webhook. I understand that the JSON body will consist of the whole Contact object and that cannot be changed. My question is, how can I then get the request body and validate the hash?

 

Is it my client has to use the entire request body passed from HS and generate the hash like below and finally compare it?

client_secret = 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy'
http_method = 'POST'
http_uri = 'https://www.example.com/webhook_uri'
source_string = client_secret + http_method + http_uri + request_body
hashlib.sha256(source_string).hexdigest()

 Is there any way I can monitor this from the App (with the client secret)?

 

Thanks.

Webhooks Workflows
0 Upvotes
1 Accepted solution
Derek_Gervais
Solution
HubSpot Alumni

‎Aug 7, 2019 4:10 PM

HubSpot Alumni

Webhook request body and validating hash

SOLVE

Hey @alvinlzg,

 

You're exactly correct; to validate the signature, you'll need to concatenate your secret, method, URI, and request body & hash them. There isn't any way to monitor this validation in the HubSpot App Monitoring, since the actual comparison is happening in your code. 

 

Also, just to clarify, the 'request body' in this case is everything in the body that you recieve from HubSpot. So the full contact record is what's included in the concatenated string & hashed.

View solution in original post

4 Replies 4
Derek_Gervais
Solution
HubSpot Alumni

‎Aug 7, 2019 4:10 PM

HubSpot Alumni

Webhook request body and validating hash

SOLVE

Hey @alvinlzg,

 

You're exactly correct; to validate the signature, you'll need to concatenate your secret, method, URI, and request body & hash them. There isn't any way to monitor this validation in the HubSpot App Monitoring, since the actual comparison is happening in your code. 

 

Also, just to clarify, the 'request body' in this case is everything in the body that you recieve from HubSpot. So the full contact record is what's included in the concatenated string & hashed.

alvinlzg

‎Aug 8, 2019 5:53 AM

Participant

Webhook request body and validating hash

SOLVE

Thanks! It's that simple. 

I'll have to figure out the longer term solution so that I only pass selected properties through. 

 

Thanks again

0 Upvotes
Derek_Gervais
HubSpot Alumni

‎Aug 8, 2019 11:21 AM

HubSpot Alumni

Webhook request body and validating hash

SOLVE

Hey @alvinlzg ,

 

Glad I could help! As far as only passing certain properties is concerned; you might want to investigate Workflow extensions and/or the Webhooks API. Configuring and using them is more involved than the workflow webhook action, but they're far more flexible and extensible, and allow you to configure specific property change subscriptions, among other things.

0 Upvotes
alvinlzg

‎Aug 8, 2019 11:48 PM

Participant

Webhook request body and validating hash

SOLVE

Thanks for the tips! 

0 Upvotes
Sunny

Sign up for the Developer Newsletter

Fresh content delivered to your inbox every month.
Webhook request body and validating hash
Developers
Aug 8, 2019