There's a new version of the HubSpot API

As of November 30, 2022, HubSpot API keys are no longer a supported authentication method for accessing HubSpot APIs. Instead, you should use a private app access token or OAuth to authenticate API calls. Learn more about this change and how to migrate an API key integration to use a private app instead.

Validating requests from HubSpot

To ensure that the requests that your integration is receiving from HubSpot are actually coming from HubSpot, we populate two headers: X-HubSpot-Signature and X-HubSpot-Signature-Version.

The X-HubSpot-Signature header will contain the signature that will need to be verified. The method used to verify the signature will depend on the version of the signature.

The X-HubSpot-Signature-Version header will contain a version number, i.e. v2, that will indicate which method should be used to verify the signature included in X-HubSpot-Signature.

See the documentation pages below for details on verifying the different versions of the signature.

Validating the v1 request signature
Validating the v2 request signature