Dev Tools · 1h ago
HubSpot Webhook Signatures: How to Verify v3 Correctly
HubSpot has shipped three webhook signature schemes, with v3 being the recommended one. v3 uses HMAC-SHA256 over the method, full URI, raw body, and timestamp, with Base64 encoding. Common mistakes include re-serializing JSON, not normalizing the URI, and comparing hex to Base64.
Meridian48 take
The post is a practical guide, but the real takeaway is that HubSpot's legacy v1 and v2 schemes lack replay protection, making v3 essential for secure integrations.
Read the full reporting
How to Verify HubSpot Webhook Signatures (v1, v2, and the v3 You Should Actually Use) →
DEV Community
hubspotwebhook-security