Webhooks - authentication type Api key - secret name and secret value - in PHP

SFlorina · ‎Apr 5, 2023

Hello.

I am trying to authenticate a webhook using api key (secret name and secret value). So I have made two files:

webhook.php :

<?php

include('webhook-api-key.php');

// Retrieve the request body from the webhook POST request

if ($http_status_code === 200){

$request_body = file_get_contents('php://input');

// Convert the request body from JSON to a PHP object

$request_data = json_decode($request_body);

// Extract the contact properties from the request data

$contact_properties = $request_data->properties;

// Extract the email property value

$email = $contact_properties->email->value;

// Extract the first name property value

$first_name = $contact_properties->firstname->value;

// Extract the last name property value

$last_name = $contact_properties->lastname->value;

// Do something with the contact data, such as adding it to a database or sending an email notification

// For example:

$contact_data = array(

'email' => $email,

'first_name' => $first_name,

'last_name' => $last_name

);

// Add the contact data to a database or send an email notification, etc.

// Send a HTTP response to HubSpot indicating that the webhook was successfully received and processed

http_response_code(200);

}

?>

and webhook-api-key.php:

<?php

$endpoint_url = 'https:/.../hubspot/webhook.php';

// Set up the API key secret name and secret value

$api_key_secret_name = 'word';

$api_key_secret_value = 'anther_word';

// Set up the HTTP POST request headers

$headers = array(

'Content-Type: application/json',

'Authorization: Bearer '.$api_key_secret_value

);

// Set up the HTTP POST request body

$body = array(

'api_key' => $api_key_secret_value

);

// Send the HTTP POST request to the webhook endpoint URL

$ch = curl_init($endpoint_url);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($body));

$response = curl_exec($ch);

// Check for errors

if(curl_errno($ch)) {

$error_message = curl_error($ch);

echo 'Error: '.$error_message;

}

// Get the HTTP response status code

$http_status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Close the HTTP POST request

curl_close($ch);

// Handle the webhook response

if ($http_status_code === 200) {

echo 'Webhook successfully authenticated.';

} else {

echo 'Webhook authentication failed with HTTP status code: ' . $http_status_code;

}

?>

And in Hubspot configuration, the url is 'https:/.../hubspot/webhook.php'.

Is it ok this way ? I am asking because it killed my server when I tried to test it, and I cannot find examples on the internet using this kind of authetication.

Thank you!

SFlorina · ‎Apr 7, 2023

Hello. So it is actually quite simple. There are no examples on the internet, and the documentation is poor, it explains more about Hubspot signature than API key.
I understood eventually how it works, and here is the working code:

$expectedSecretName = 'word'; // Replace with your expected secret name
$expectedSecretValue = 'another_word'; // Replace with your expected secret value

$requestBody = file_get_contents('php://input');
$data = json_decode($requestBody);

if($_SERVER['HTTP_WORD'] == $expectedSecretValue){
//do something with values
$email = $data->email;
$firstname= $data->firstname;
$lastname= $data->lastname;
}
else{
//not from Hubspot
}

View solution in original post

SFlorina · ‎Apr 7, 2023

Hello. So it is actually quite simple. There are no examples on the internet, and the documentation is poor, it explains more about Hubspot signature than API key.
I understood eventually how it works, and here is the working code:

$expectedSecretName = 'word'; // Replace with your expected secret name
$expectedSecretValue = 'another_word'; // Replace with your expected secret value

$requestBody = file_get_contents('php://input');
$data = json_decode($requestBody);

if($_SERVER['HTTP_WORD'] == $expectedSecretValue){
//do something with values
$email = $data->email;
$firstname= $data->firstname;
$lastname= $data->lastname;
}
else{
//not from Hubspot
}

SFlorina · ‎Apr 6, 2023

I realized my code is not ok, it is not ok how I check the autenticity of the secret name and value. Here is my updated code:

<?php

$expectedSecretName = 'word'; // Replace with your expected secret name

$expectedSecretValue = 'another_word'; // Replace with your expected secret value

$requestBody = file_get_contents('php://input');

$data = json_decode($requestBody, true);

if (isset($data['secretName']) && isset($data['secretValue'])) {

$actualSecretName = $data['secretName'];

$actualSecretValue = $data['secretValue'];

if ($actualSecretName === $expectedSecretName && $actualSecretValue === $expectedSecretValue) {

$contact_properties = $request_data->properties;

$email = $contact_properties->email->value;

$firstname = $contact_properties->firstname->value;

$lastname = $contact_properties->lastname->value;

echo 'Secret name and value are proper';

} else {

echo 'Invalid secret name or value';

}

?>

Is this the correct way to check the secret name/value ?

Thank you!

SFlorina · ‎Apr 5, 2023

I understand.

But the files are ok ? The endpoint_url ?

The files` content, the way is included the endpoint_url, and how i divided the code ?

$ch = curl_init($endpoint_url); - is it ok to have this url here, and then to include the file webhook.php in the webhook-api-key.php ?

Thank you!

TDwebdev · ‎Apr 5, 2023

Hi Sflorina,

You can remove the API key and only use the Bearer AUTH.

Vet Digital

Did my post solve your question? Help the community by ☑marking it as a solution

APIs & Integrations