Hi all! 👋
We're facing a bit of a challenge securing external call recording URLs that we're linking to HubSpot call records, and we're hoping someone can offer some guidance.
Here's the situation:
We have a private app that creates call records in HubSpot.
We're attaching URLs to these records that point to call recordings hosted on our servers.
Our goal: We need to restrict access to these recording URLs so that *only* the HubSpot calls page can display them.
We can't rely on IP allowlisting because HubSpot uses dynamic IP addresses.
Our main questions are:
How does the HubSpot calls page actually retrieve these URLs? - Does it use specific HTTP headers, authentication tokens, or any other identifiable mechanisms?
What are the recommended security practices for ensuring only HubSpot can access these URLs in this specific context?
Specifically, does HubSpot support any kind of signed requests for this kind of action?
Essentially, we need to understand how HubSpot fetches these URLs so we can implement the appropriate security measures on our end.
Any resources, insights or suggestions would be greatly appreciated! 🙏
Thanks