APIs & Integrations

sketchy
Participant

X-HubSpot-Signature for CRM Extensions

SOLVE

I'm running a HubSpot application, I can't verify the `X-HubSpot-Signature` for the GET requests in a CRM Extension.

 

I'm unsure how to treat the query string that is sent with the request. 

 

The original data fetch request makes a request like the following;

GET https://example.com/demo-tickets?userId=12345&userEmail=testuser@example.com&associatedObjectId=78912&associatedObjectType=COMPANY&portalId=9999999&domain=testcompany.com

I would assume the signature would be

 

XXXGEThttps://example.com/demo-tickets?userId=12345&userEmail=testuser@example.com&associatedObjectId=78912&associatedObjectType=COMPANY&portalId=9999999&domain=testcompany.com

 

XXX = the client secret. 

I've tried this method and the X-HubSpot-Signature doesn't match.

 

Is anyone else having this problem?

0 Upvotes
1 Accepted solution
Willson
Solution
HubSpot Employee
HubSpot Employee

X-HubSpot-Signature for CRM Extensions

SOLVE

Hey @sketchy 

 

Apologies for the delay here! I have confirmed with our team that the request validation for CRM Extensions currently uses our v2 method.


This is outlined here. Are you able to test and confirm the results using the examples provided in the docs?

 

Specifically for a GET request:

Source String:
yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyyGEThttps://www.example.com/webhook_uri
The resulting hash would be:
eee2dddcc73c94d699f5e395f4b9d454a069a6855fbfa152e91e88823087200e

 

Being sure to include the query parameters as part of the URI as mentioned previously. If you're more comfortable, you can DM me with the details of your testing so we have specifics to work with from your end.


Thanks!

Product Manager @ HubSpot

View solution in original post

0 Upvotes
9 Replies 9
svamja
Member

X-HubSpot-Signature for CRM Extensions

SOLVE

I faced this for days, even the accepted answer did not work, because it is just copy paste from documentation.

My problem was with the URL. I was taking the URL as provided by Request object by Java, but it was slightly different (encoded) from the URL sent by HubSpot.

To figure out the URL sent by HubSpot, go to your App > Monitoring > CRM Extensions. This is where I found the correct URL and it solved the issue for me.

0 Upvotes
Willson
HubSpot Employee
HubSpot Employee

X-HubSpot-Signature for CRM Extensions

SOLVE

Hey @sketchy 

 

This is correct, providing an example, the source string being used be structured as follows:

'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy[{"eventId":1,"subscriptionId":12345,"portalId":62515,"occurredAt":1564113600000,"subscriptionType":"contact.creation","attemptNumber":0,"objectId":123,"changeSource":"CRM","changeFlag":"NEW","appId":54321}]'

The above is done using the process of concatenating the string together to yield: Client secret + http method + URI + request body

 

Have you ran through our Docs on signature validation to ensure you're correctly following the steps required?

 

I hope this helps!

Product Manager @ HubSpot
0 Upvotes
sketchy
Participant

X-HubSpot-Signature for CRM Extensions

SOLVE

Thanks @Willson .

 

I've got it working fine for the POST requests that contain a body, but still can't get it working for a GET request.

 

As an example;

 

clientSecret: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
method: GET
url: https://www.domain.com/crmExtension?associatedObjectId=1&associatedObjectType=CONTACT&portalId=1&userEmail=email%40domain.com&userId=1
body: null
I have tried the following to get the signature to match, but none work
 
aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeeeGEThttps://www.domain.com/crmExtension?associatedObjectId=1&associatedObjectType=CONTACT&portalId=1&userEmail=email%40domain.com&userId=1

aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeeeGEThttps://www.domain.com/crmExtension?associatedObjectId=1&associatedObjectType=CONTACT&portalId=1&userEmail=email%40domain.com&userId=1null

aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeeeGEThttps://www.domain.com/crmExtension

aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeeeGEThttps://www.domain.com/crmExtension{"associatedObjectId":1,"associatedObjectType":"CONTACT","portalId:1,"userEmail":"email%40domain.com","userId":1}

aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeeeGEThttps://www.domain.com/crmExtension[{"associatedObjectId":1,"associatedObjectType":"CONTACT","portalId:1,"userEmail":"email%40domain.com","userId":1}]
The documentation doesn't mention how to handle querystring parameters, are they considered to be part of the URI? 
 
It seems no matter what I try with the GET request for a CRM Extension I can't get the signature to validate.
 
 
 
 
Willson
HubSpot Employee
HubSpot Employee

X-HubSpot-Signature for CRM Extensions

SOLVE

Hey @sketchy 

 

In order to check this from my end, would you be able to provide me with the App Id? 

 

Thanks!

Product Manager @ HubSpot
0 Upvotes
sketchy
Participant

X-HubSpot-Signature for CRM Extensions

SOLVE

Hey @Willson , the App ID is 216281

0 Upvotes
sketchy
Participant

X-HubSpot-Signature for CRM Extensions

SOLVE

Hey @Willson any update?

0 Upvotes
Willson
Solution
HubSpot Employee
HubSpot Employee

X-HubSpot-Signature for CRM Extensions

SOLVE

Hey @sketchy 

 

Apologies for the delay here! I have confirmed with our team that the request validation for CRM Extensions currently uses our v2 method.


This is outlined here. Are you able to test and confirm the results using the examples provided in the docs?

 

Specifically for a GET request:

Source String:
yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyyGEThttps://www.example.com/webhook_uri
The resulting hash would be:
eee2dddcc73c94d699f5e395f4b9d454a069a6855fbfa152e91e88823087200e

 

Being sure to include the query parameters as part of the URI as mentioned previously. If you're more comfortable, you can DM me with the details of your testing so we have specifics to work with from your end.


Thanks!

Product Manager @ HubSpot
0 Upvotes
sketchy
Participant

X-HubSpot-Signature for CRM Extensions

SOLVE

Thanks Matt,

 

The problem I've run into is AWS Lambda appears to parse and reorder the querystring parameters. So my signature wasn't validated.

 

How that I've seen the raw request I'm able to validate.

 

Thanks for your help!

0 Upvotes
AChong1
Contributor

X-HubSpot-Signature for CRM Extensions

SOLVE

Where did you find the raw request? And which of your strings above was correct when reordered?

0 Upvotes