[
UPDATE]:
✅ Solved!
Hi team! 👋I’m working on a
public app and have a question about
request signatures when using
hubspot.fetch().
At the moment, I’m not seeing any kind of signature in the request headers. I’ve seen
some posts suggesting these should be present, and I know that
webhooks are always signed according to the docs. Also, there's
an article that says that signature headers are always sent, but I never saw them. I couldn’t find any other clear info about whether
hubspot.fetch() requests from public app extensions are signed too.
My setup:The app is running locally with local.json, using GCP functions as handlers.
It’s installed and the OAuth flow works correctly, but the app hasn’t been deployed via CI/CD - only uploaded manually using CLI commands.
I’ve created a backend endpoint to return user-specific data, but I’m not sure how to securely authenticate those requests.
The use case:
Each HubSpot user accessing the app should only be able to view their own scoped data. For example, users from Company A shouldn’t be able to access data belonging to Company B.
To support this, I want to verify the user identity (or portal ID) making the request, ideally using a signed request.
I originally considered passing an API key in the authorization header, but that’s clearly not secure since it would be exposed in every request.
As a fallback, I’ve implemented an iframe-based version that receives context via postMessage, and that works - but I’d really prefer to build a more integrated experience using public app extensions.
So my main question is:
👉 Are requests made using hubspot.fetch() signed in any way? If not, is there a recommended way to securely identify the caller (user or portal) on the backend?
Any clarification would be greatly appreciated. Thanks! 🙏