Webhooks - authentication type Api key - secret name and secret value - in PHP

Question

I am trying to authenticate a webhook using api key (secret name and secret value). So I have made two files:

webhook.php :

<?php 

include('webhook-api-key.php');
// Retrieve the request body from the webhook POST request
if ($http_status_code === 200){
        $request_body = file_get_contents('php://input');

        // Convert the request body from JSON to a PHP object
        $request_data = json_decode($request_body);

        // Extract the contact properties from the request data
        $contact_properties = $request_data->properties;

        // Extract the email property value
        $email = $contact_properties->email->value;

        // Extract the first name property value
        $first_name = $contact_properties->firstname->value;

        // Extract the last name property value
        $last_name = $contact_properties->lastname->value;

        // Do something with the contact data, such as adding it to a database or sending an email notification
        // For example:
        $contact_data = array(
            'email' => $email,
            'first_name' => $first_name,
            'last_name' => $last_name
        );
        // Add the contact data to a database or send an email notification, etc.

        // Send a HTTP response to HubSpot indicating that the webhook was successfully received and processed
        http_response_code(200);
}
?>

and webhook-api-key.php:

<?php 

$endpoint_url = 'https:/.../hubspot/webhook.php';

// Set up the API key secret name and secret value
$api_key_secret_name = 'word';
$api_key_secret_value = 'anther_word';

// Set up the HTTP POST request headers
$headers = array(
    'Content-Type: application/json',
    'Authorization: Bearer '.$api_key_secret_value
);

// Set up the HTTP POST request body
$body = array(
    'api_key' => $api_key_secret_value
);

// Send the HTTP POST request to the webhook endpoint URL
$ch = curl_init($endpoint_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($body));
$response = curl_exec($ch);

// Check for errors
if(curl_errno($ch)) {
    $error_message = curl_error($ch);
    echo 'Error: '.$error_message;
}

// Get the HTTP response status code
$http_status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Close the HTTP POST request
curl_close($ch);

// Handle the webhook response
if ($http_status_code === 200) {
    echo 'Webhook successfully authenticated.';
} else {
    echo 'Webhook authentication failed with HTTP status code: ' . $http_status_code;
}
?>

And in Hubspot configuration, the url is 'https:/.../hubspot/webhook.php'.

Is it ok this way ? I am asking because it killed my server when I tried to test it, and I cannot find examples on the internet using this kind of authetication.

Thank you!

Can't make much sense of that code. So `webhook.php` includes `webhook-api-key.php` - which then in turn tries to make a request for `https:/.../hubspot/webhook.php` ...? What is the point of that supposed to be? Why would your own webhook script have to authenticate "against itself"? — CBroe, Apr 06 '23 at 08:04
I understand what you are saying. So in this case, how should I organize my code ? The Hubspot sends the requested body to /.../hubspot/webhook.php, first I have to authenticate and check the secret name and value, that I already have from the hubspot settings configuration, and if ok, then decode requested body and do something with values. I do not know what url to put in the curl part. Do I need a url there? I mean, I have to check for secret name/value in webhook.php. Thank you! — Fllorinaaa, Apr 06 '23 at 08:14
I think this is the way: $secretName= 'word'; $secretValue = 'another_word'; $requestBody = file_get_contents('php://input'); $data = json_decode($requestBody, true); if (isset($data['secretName']) && isset($data['secretValue'])) { $actualSN = $data['secretName']; $actualSV = $data['secretValue']; if ($actualSN== $secretName&& $actualSV== $secretValue ) { $contact_properties = $request_data->properties; echo 'Secret name and value are proper'; } else { echo 'Invalid secret name or value'; } } Is this the correct way ? Thank you! — Fllorinaaa, Apr 06 '23 at 09:04
_"first I have to authenticate and check the secret name and value, that I already have from the hubspot settings configuration"_ - if you _have_ those value already, then why do you want to make a cURL request at this point? Can you please link to the documentation for this; because I feel like you might probably have misunderstood something about how the whole process is supposed to work. — CBroe, Apr 06 '23 at 10:42

score 1 · Accepted Answer · answered Apr 07 '23 at 14:04

So it is actually quite simple. There are no examples on the internet, and the documentation is poor, it explains more about Hubspot signature than API key. I understood eventually how it works, and here is the working code:

$expectedSecretName = 'word'; // Replace with your expected secret name
$expectedSecretValue = 'another_word'; // Replace with your expected secret value

$requestBody = file_get_contents('php://input');
$data = json_decode($requestBody);

    if($_SERVER['HTTP_WORD'] == $expectedSecretValue){
//do something with values
$email = $data->email;
$firstname= $data->firstname;
$lastname= $data->lastname;
}
else{
//not from Hubspot
}

Webhooks - authentication type Api key - secret name and secret value - in PHP

1 Answers1