Hi, I have some flows that trigger off of HTTP requests for some integrations, including HubSpot. I would like to implement verification of those requests to improve security and for many of the integrations the HTTP request includes a header with some sort of HMAC-based signature.
Within my flow, I need to re-calculate the signature, compare it to the one received and if they match we have confidence the message is complete and untampered. While I have build a custom connector to help calculate the HMAC-based signature, I am having troubles performing the calculation when it involves the body of the incoming request, aka the triggerBody().
I suspect the issue is coming from Power Automate treating the payload as a JSON object and altering the space/newline structure to make it more human-readable. However, changing a single space in the payload changes it enough that it will no longer generate the same HMAC-based signature.
Does anyone have ideas for extracting an unaltered payload out of the trigger so I can correctly calculate the signature and validate the payload?
Thanks in advance,
Bryan
I have the same issue, however, they do validate eventually, it sometimes takes one or more retries, and I don't know a way around this yet and am concerned that we will potentially miss messages altogether.
Would like to know if anyone has resolved this?
I have not been able to get this working in Power Automate due to the issue I pointed out in the original post. Custom connectors do allow us to run a small piece of c# code, which is enough to calculate the hash; however, the extra whitespace introduced as Power Automate handles the message body renders the calculation unusable.
It might work better setting up an Azure Function to handle this, but still on my "to-do" list.
Bryan
Hi - I'm in a similar position of needing to improve security of http triggered power automate flows using HMAC signature verification. Could you please share what you did to build a custom connector that can calculate the signature? Ultimately does your custom connector outsource the signature calculation to a third party service or are you handling it completely within the connector? Thanks in advance!
ankit_singhal
7
Super User 2025 Season 1
Michael E. Gernaey
4
Super User 2025 Season 1
David_MA
2
Super User 2025 Season 1