Webhooks - How to check X-Hubspot-Signature


#1

Hello!

I’m trying to ensure that the data I receive as a webhook comes from hubspot.
The documentation has pretty clear steps to check that, using sha256, the app’s secret id, and the request’s body.
But it doesn’t seem to work for me, the result doesn’t match the X-Hubspot-Signature header.

Here’s an example of my code (I tried different variants), in ruby on rails:

base = <my secret> + request.body.to_s
hashed = Digest::SHA2.hexdigest(base)
puts hashed == request.headers['X-Hubspot-Signature'] # this is false

I copy-pasted the secret from https://app.hubspot.com/developers/<id>/application/<appId>.
The hashed value is on the same format than the header (hexadecimal with the same length), it just isn’t the same.

Is there anything I missed?


#2

It seems to be caused by ruby on rails’ request.body which is a StringIO instead of a standard String.
I’ll post my solution if I ever find it.


#3

I was right, sorry for posting early (and for brain-farting).

base = <my secret> + request.body.string # and NOT .to_s
hashed = Digest::SHA2.hexdigest(base)
puts hashed == request.headers['X-Hubspot-Signature']

works beautifully.


#4

Just to add an example for Javascript/Node.js users:

import { createHash } from 'crypto';

const testSignature = createHash('sha256').update(clientSecret + JSON.stringify(request.body)).digest('hex');

const isValid = request.headers['x-hubspot-signature'] === testSignature;