Bugfix: Update for Webhook Association Events Containing Internal CRM Objects
We've updated our Webhooks execution flow to enhance security by ensuring that association events containing non-public CRM objects are no longer sent to external integrators. This change shouldn’t require immediate action from customers, but it may impact existing and future Webhook subscriptions and needs to be reviewed.
What's changing?
Our Webhooks inadvertently sent updates about CRM object association events that should remain internal in public APIs/views. To address this oversight, future Webhook updates will no longer include association events for these internal CRM objects, such as MARKETING_SMS, CAMPAIGN_SPEND_ITEM, FORM, SOCIAL_POST, etc.
For example, if you have a Webhook set up to monitor SMS-related activity within a HubSpot account, and the Webhook listens for updates such as MARKETING_SMS to manage marketing SMS activity. With this new security enhancement, the Webhook will no longer send updates for events that invoke internal CRM objects, such as MARKETING_SMS. This means that association events related to internal objects will not trigger your Webhook, preventing any external access to sensitive internal CRM data.
This change will be a breaking change, affecting only existing and future Webhook subscriptions that may have been using updates on internal CRM objects. Specifically, any Webhooks configured to listen for updates on non-public CRM objects will no longer receive these updates after the change.
How does this impact developers?
Developers should review their current integrations and determine if they rely on receiving Webhook data for any non-public objects that will be affected by this change. If so, modifications to their integration logic may be necessary to accommodate the absence of this data. Check your systems for dependencies on internal objects and plan updates accordingly to ensure no application disruptions.
When is it happening?
This update takes effect today, April 23, 2025. Questions or comments? Join us below in the developer forums for a peer-to-peer discussion.
Bugfix: Update for Webhook Association Events Containing Internal CRM Objects
The update relates to "CRM object associations that shouldremain internal in public APIs/views" and gives a few examples with "MARKETING_SMS, CAMPAIGN_SPEND_ITEM, FORM, SOCIAL_POST, etc."
Can you provide a comprehensive list of current object associations that will no longer be sent? And/or can you give a more specific definition of what "should remain internal in public APIs/views" or what are public/non-public CRM objects?
I'm thinking specifically about my Custom Objects, but I'd imagine there are a million little integrations people may want to validate, so adding additional clarity about the change is probably easier than responding to every individual concern.
Bugfix: Update for Webhook Association Events Containing Internal CRM Objects
Thank you for your question and comment @baribeau !
Non-public/internal objects are used exclusively by HubSpot’s internal platforms, features, or legacy infrastructure and are not intended to be exposed via the standard public APIs. Their data, structure, or relationships are considered proprietary, sensitive, or are not designed to be externally supported.
It is essential to note that this change is specifically targeted at association events involving internal, non-public CRM objects. Historically, direct access and Webhook events for these internal objects were already restricted from public APIs. However, there was an oversight where association events—events triggered when these internal objects were linked with public objects—were still being sent via Webhooks. This update closes that gap and aligns association event handling with existing data security policies. Other Webhook event types and all association events involving only public objects (including your Custom Objects) are not affected and will continue to function as before.
.png "HubSpot Employee"){kind=icon}
