There's a new version of the HubSpot API

As of November 30, 2022, HubSpot API Keys are being deprecated and are no longer supported. Continued use of HubSpot API Keys is a security risk to your account and data. Your API Keys could be deactivated at any time after Nov. 30th, and we recommend that you migrate to Private Apps as soon as possible so you do not lose business-critical functionality.

Validating the v1 request signature

Last updated June 17, 2020

See this page for more details about validation, and for details on validating other versions of the signature.

When the request from HubSpot is sent with the X-HubSpot-Signature-Version header set to v1, the X-HubSpot-Signature header will be an SHA-256 hash built using the client secret of your app combined with details of the request.

To verify this signature, perform the following steps:

  • Create a string that concatenates together the following: App secretrequest body (if present)
  • Create a SHA-256 hash of the resulting string.
  • Compare the hash value to the signature.
    • If they're equal then this request has passed validation.
    • If these values do not match, then this request may have been tampered with in-transit or someone may be spoofing requests to your endpoint.

Example for a request with a body:

  • Client secret : yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
  • Request body: [{"eventId":1,"subscriptionId":12345,"portalId":62515,"occurredAt":1564113600000,"subscriptionType":"contact.creation","attemptNumber":0,"objectId":123,"changeSource":"CRM","changeFlag":"NEW","appId":54321}]

Source String:
yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy[{"eventId":1,"subscriptionId":12345,"portalId":62515,"occurredAt":1564113600000,"subscriptionType":"contact.creation","attemptNumber":0,"objectId":123,"changeSource":"CRM","changeFlag":"NEW","appId":54321}]

The resulting hash would be:
232db2615f3d666fe21a8ec971ac7b5402d33b9a925784df3ca654d05f4817de