Thoughts on Webhook "auth"


We need to setup a webhook that subscribes to contact deletions.

What is the recommended method for us to confirm that the request originated from HubSpot as opposes to someone finding our endpoint and posting their own data to it?


Hi @homerlex,

We populate a X-HubSpot-Signature header with a SHA-256 hash of the concatenation of the app-secret for your application and the request body we’re sending. You can create your own hash using the request body and your client secret, and compare the two to confirm the webhook requests are coming from HubSpot.


Perfect, thanks a bunch.