API IP Addresses / Firewall Whitelisting



We have a custom CRM extension for our contacts that will allow us to show some data from our local CRM in the hubspot contact as detailed on: https://developers.hubspot.com/docs/methods/crm-extensions/crm-extensions-overview

To do this I have created a small webservice that we will host on one of our servers that provides hubspot with the UI json, and an endpoint to call when the action buttons are clicked. This works fine.

We want to be able to restrict access to this webservice so that only requests coming directly from hubspot are accepted. We cant seem to find a proper list of the IPs used by the APIs though? The support guys advised us to restrict by domain, however looking at the requests they all come from aws domains so that wont work

What should we do?/What other things have people done to get around this issue?



Hi @MattHodge,

We don’t document the IPs we use, since we don’t have a static IP range. To ensure that the requests you’re getting at your data fetch URIs and action hook URIs are actually coming from HubSpot, we populate a X-HubSpot-Signature header with a SHA-256 hash of the concatenation of the app-secret for your application and the request body we’re sending.


@Derek_Gervais - How do we handle this when doing a POST using a Workflow Webhook step to a webservice on one of our servers? Thanks in advance!


Hi @Siddall,

The workflow webhook action is different; since it's not associated with an app, it doesn't have the same X-HubSpot-Signature header. Instead, you should select the "Use authentication" option in-app, and input a username/password combination. This populates the Authorization header with Basic auth (i.e. a base64 encoding of the following concatenation: username:password). This can be used to confirm the validity of your requests.

Also, though it should go without saying, please make sure to use https for your webhook endpoint(s).