SShortSingh.
Back to feed

HubSpot Webhook Signature Validation: Why v3 Is the Only Version Worth Using

0
·2 views

HubSpot has introduced three webhook signature schemes over the years — v1, v2, and v3 — each using similar header names, which frequently causes developers to implement the wrong version. The v1 and v2 schemes use SHA-256 hashing with no timestamp, leaving them vulnerable to replay attacks, while v3 uses HMAC-SHA256 with a signed timestamp for stronger security. HubSpot currently recommends v3, which requires hashing the HTTP method, full URI, raw request body, and timestamp together, then Base64-encoding the result. Common implementation mistakes include re-serializing the request body before verification, using the wrong URI format, omitting the timestamp from the signed string, or comparing a hex digest against a Base64-encoded header. Developers should also reject any request whose timestamp is more than five minutes old to prevent replay attacks.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Railway's 2026 Outages Raise Reliability Concerns for Production AI Apps

Cloud deployment platform Railway experienced two major outages in 2026, including an eight-hour platform-wide disruption on May 19-20 caused by Google Cloud incorrectly suspending Railway's production account. A second significant outage followed on July 2, affecting a US East availability zone for roughly four hours with degraded networking and disk performance. Railway's own public status page shows monthly uptime dipping to 99.26% in May and 99.42% in July, reflecting a broader pattern of incidents across builds, deployments, networking, and workload reachability. AI applications are considered especially vulnerable because they rely on long-lived requests, durable state, and uninterrupted agent workflows that are difficult to recover mid-chain. While Railway remains a fast option for prototypes, developers running production AI products with real users are being advised to evaluate more resilient alternatives.

0
ProgrammingDEV Community ·

Why Small Talk and Trust Matter for Teams Navigating AI Adoption

A developer argues that casual, open conversations within teams are a critical but overlooked habit as AI tools become more prevalent in the workplace. These discussions cover what AI approaches work, what fails, and the ethical implications of integrating such tools into daily routines. The author emphasizes that this kind of dialogue requires psychological safety, so team members do not feel guilty or left behind when a colleague implements a new idea. Documenting lessons learned — including mistakes — is highlighted as especially important for collective growth. According to the author, while such conversations may seem unproductive, they build an ethical foundation that helps teams move forward with confidence.

0
ProgrammingDEV Community ·

Syllabix Uses AI to Generate Curriculum-Aligned Lesson Plans for Nigerian Teachers

A developer named Bukarr has built Syllabix, a progressive web app designed to help Nigerian teachers quickly generate lesson plans aligned with NERDC/UBE and WAEC/SSCE curricula. The tool allows teachers to input a subject, grade level, and topic, then receive a structured, exportable lesson plan within minutes rather than hours. Built using React, TypeScript, Shadcn/UI, and Supabase, the app was developed during the HACKHAZARDS '26 hackathon and is optimized for low-connectivity environments common in Nigeria. Syllabix is currently live on Vercel, and its creator is in talks with the Federal Ministry of Education about scaling the platform to school and state levels.

0
ProgrammingDEV Community ·

Agent Slugs Serve as the Critical Link Between APC Portable Context and APX Runtime

In the APC/APX framework, an 'agent slug' is a short, stable identifier that connects the portable project context layer (APC) with the local runtime layer (APX). APC stores structured agent definitions in files like .apc/agents/reviewer.md, while APX uses the same slug to route CLI commands and store runtime data under per-agent filesystem paths. Keeping the slug stable ensures session history, memory, and command routing remain consistent even when an agent's model, description, or skills are updated. Unstable or implementation-specific slugs — such as 'smart-reviewer-v2' or 'claude-helper' — can disrupt continuity and make agent definitions feel disposable rather than durable. Developers are advised to choose slugs that reflect a role's long-term responsibility, following principles similar to naming a stable API endpoint.