HubSpot Webhooks
How to Test HubSpot Webhooks Locally (2026)
HubSpot sends webhooks for CRM object events — contact, company, deal, and ticket changes. HubSpot v3 signs each request with HMAC-SHA256 over the request method, URI, body, and timestamp using your app's client secret, delivered in the X-HubSpot-Signature-v3 header.
Signature Header
X-HubSpot-Signature-v3
Algorithm
HMAC-SHA256 over method+uri+body+timestamp (app client secret)
Setup Guide
- 1Create a free HookSense endpoint at hooksense.com
- 2In your HubSpot app settings → Webhooks
- 3Set the Target URL to your HookSense URL
- 4Create subscriptions for the object events you want (e.g. contact.creation)
- 5Note your app's client secret — it's the key for v3 signature verification
- 6Trigger a change in HubSpot to fire a webhook
- 7Watch it land in HookSense, including the X-HubSpot-Signature-v3 header
Common HubSpot Webhook Events
contact.creationcontact.deletioncontact.propertyChangecompany.creationcompany.propertyChangedeal.creationdeal.propertyChangeticket.creationForward to Localhost
Use HookSense CLI to forward HubSpot webhooks directly to your local development server:
npx hooksense listen -p 3000 --path /api/integrations/hubspotNo ngrok or tunnel setup required. Install with npm i -g hooksense or use npx.
Tips & Best Practices
- v3 signs method + URI + raw body + timestamp — reconstruct the exact string, then HMAC-SHA256 with the client secret and base64-encode
- Reject requests whose X-HubSpot-Request-Timestamp is more than 5 minutes old to block replays
- HubSpot batches multiple events into a single request body (an array) — handle each element
- Use a constant-time comparison when checking the signature to avoid timing attacks
Related
Start Testing HubSpot Webhooks
Create a free endpoint and receive your first HubSpot webhook in seconds.
Get Started Free