Due to security concerns related to storing credentials to other applications, we are deprecating basic auth in Workflow webhooks on April 1.
Many of you use basic auth to verify that webhook requests are coming from HubSpot. Now, we are offering a better, more secure way of verifying webhooks with request signatures.
We plan to fully sunset basic auth on April 1, 2019 for all customers. After that date, any webhooks with basic auth will continue to fire but without the auth credentials. New webhook actions created on April 1 and moving forward will not allow you to use basic auth, only request signatures. Between now and April 1, existing customers will have the option to use both verification methods to help transition:
To help you get started with this new flow, we’ve created documentation on how to set up request signatures. To help facilitate the migration, you’ll be able to use both basic auth and request signatures during the transition period between now and April 1, 2019.
New user? No worries -- any new customers starting on March 1 don’t have the ability to add basic auth in webhooks -- you will only have the option to verify webhooks with request signatures from the start:
If you are using a third-party integration that relies on webhooks and basic auth, please let us know so we can contact the integrator for you. Otherwise, you’ll need to reach out to the integrator directly.
A customer email was sent out last month to give users of this feature a heads up about the deprecation. Previously, the deprecation was going to take place on March 1. The deadline has now been extended to April 1.
If you have questions about these changes, please email Bella Wu (firstname.lastname@example.org).