The problem is how to generate the hash when there is no body. Per the docs (https://developers.hubspot.com/docs/methods/webhooks/webhooks-overview#user-content-security), we should concatenate the app secret with the request body, but in the GET there is no body…

To verify this signature, concatenate the app secret of your application and the un-parsed request body of the request you’re handling, and get a SHA-256 hash of the result. Compare the resulting hash with the value of the X-HubSpot-Signature. If these values match, then this verifies that this request came from HubSpot. (Or someone else who knows your application secret. It’s important to keep this value secret.) If these values do not match, than this request may have been tampered with in-transit or someone may be spoofing webhook notifications to your endpoint.

Hi @cre

The X-HubSpot-Signature header should be present for both POST and GET requests that come from HubSpot, so validating the header should work pretty much the same for both methods. Are you seeing any specific issues or differences with the GET requests?