Verified steps

When receiving a webhook POST, extract the X-HubSpot-Signature-v3 header and the X-HubSpot-Request-Timestamp header
Reject any request where the timestamp is more than 5 minutes old to prevent replay attacks
Construct the source string as: HTTP method + full request URI + raw request body + timestamp value (all concatenated, no separators)
Compute an HMAC-SHA256 of the source string using your app's client secret as the key
Base64-encode the resulting HMAC and compare it to the header value — reject the request if they do not match

Known gotchas

Use the raw unparsed request body bytes for hashing — parsing JSON and re-serializing it may alter whitespace and cause signature mismatches
The v3 signature scheme supersedes v1 and v2; v1 and v2 do not include timestamps and are vulnerable to replay attacks — migrate if still using them
The client secret used for signing is the HubSpot app client secret, not any API token — do not confuse the two

developer.xero.com · 6 steps · unrated

Verify Uber Direct webhook signature to authenticate delivery status callbacks

developer.uber.com · 5 steps · unrated

Verify Stripe webhook signatures correctly

stripe.com · 4 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Validate HubSpot webhook signatures to confirm authenticity (v3 signature)

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes