APIs & Integrations

fonji
Contributor

Webhooks - How to check X-Hubspot-Signature

Hello!

I’m trying to ensure that the data I receive as a webhook comes from hubspot.
The documentation has pretty clear steps to check that, using sha256, the app’s secret id, and the request’s body.
But it doesn’t seem to work for me, the result doesn’t match the X-Hubspot-Signature header.

Here’s an example of my code (I tried different variants), in ruby on rails:

base = <my secret> + request.body.to_s
hashed = Digest::SHA2.hexdigest(base)
puts hashed == request.headers['X-Hubspot-Signature'] # this is false

I copy-pasted the secret from https://app.hubspot.com/developers/<id>/application/<appId>.
The hashed value is on the same format than the header (hexadecimal with the same length), it just isn’t the same.

Is there anything I missed?

0 Upvotes
3 Replies 3
eric1
Member

Webhooks - How to check X-Hubspot-Signature

Just to add an example for Javascript/Node.js users:

import { createHash } from 'crypto';

const testSignature = createHash('sha256').update(clientSecret + JSON.stringify(request.body)).digest('hex');

const isValid = request.headers['x-hubspot-signature'] === testSignature;
fonji
Contributor

Webhooks - How to check X-Hubspot-Signature

I was right, sorry for posting early (and for brain-farting).

base = <my secret> + request.body.string # and NOT .to_s
hashed = Digest::SHA2.hexdigest(base)
puts hashed == request.headers['X-Hubspot-Signature']

works beautifully.

0 Upvotes
fonji
Contributor

Webhooks - How to check X-Hubspot-Signature

It seems to be caused by ruby on rails’ request.body which is a StringIO instead of a standard String.
I’ll post my solution if I ever find it.

0 Upvotes