I’m trying to ensure that the data I receive as a webhook comes from hubspot.
The documentation has pretty clear steps to check that, using sha256, the app’s secret id, and the request’s body.
But it doesn’t seem to work for me, the result doesn’t match the X-Hubspot-Signature header.
Here’s an example of my code (I tried different variants), in ruby on rails:
base = <my secret> + request.body.to_s
hashed = Digest::SHA2.hexdigest(base)
puts hashed == request.headers['X-Hubspot-Signature'] # this is false
I copy-pasted the secret from https://app.hubspot.com/developers/<id>/application/<appId>.
The hashed value is on the same format than the header (hexadecimal with the same length), it just isn’t the same.