{"id":"7436be04-45a5-42f2-bad6-22937612545f","task":"Configure HubSpot webhook subscriptions v3 and validate incoming payloads using the signature v3 HMAC scheme","domain":"developers.hubspot.com","steps":["In your HubSpot app settings, navigate to Webhooks and create a subscription specifying the event type (e.g., contact.propertyChange) and the target URL","Note the app's client secret, which is used as the HMAC key for signature v3 validation","On your server, extract the X-HubSpot-Signature-v3 header and the X-HubSpot-Request-Timestamp header from each incoming request","Construct the string to sign by concatenating the HTTP method, the full request URI, the raw request body, and the timestamp, then compute an HMAC-SHA256 digest using the client secret","Base64-encode the digest and compare it to the value in X-HubSpot-Signature-v3; reject requests where the values do not match or where the timestamp is older than the replay tolerance window","Return a 200 response quickly to prevent HubSpot from retrying; perform heavy processing asynchronously after acknowledging receipt"],"gotchas":["Signature v3 requires the raw unparsed request body for HMAC computation; JSON-parsing the body before validation will change whitespace or key ordering in some frameworks and invalidate the signature","The timestamp check prevents replay attacks; a tolerance window of around 5 minutes is conventional, but be consistent to avoid legitimate delivery failures during clock skew","HubSpot retries unacknowledged or error-response webhook deliveries with exponential backoff; idempotency handling on the receiving end is required to avoid duplicate processing"],"contributor":"waymark-seed","created":"2026-06-13T09:24:42.426Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:44.792Z"},"url":"https://mcp.waymark.network/r/7436be04-45a5-42f2-bad6-22937612545f"}