IR HubSpot Backend

This is the “brain” for the IR HubSpot integration app. It holds all secrets, validates inbound HubSpot v3 signatures, and makes outbound CRM calls. The HubSpot project (UI cards/settings) talks to these endpoints via hubspot.fetch.

Endpoints

• POST /api/cards/example?portalId=<id> — example signed card endpoint. Returns { ok, message }.
• GET|PUT /api/settings?portalId=<id> — settings skeleton (signed).

Authentication

Every endpoint requires a valid X-HubSpot-Signature-v3 header plus a X-HubSpot-Request-Timestamp within a 5-minute replay window, and a ?portalId query param that resolves to a configured portal. Requests without a valid signature receive 401. Direct browser requests will always 401 — that is expected.

Secrets model

• Service Key (App → HubSpot, Bearer, scope-gated) — outbound CRM reads/writes.
• Client Secret (HubSpot → App, HMAC) — validates inbound signatures. Never interchangeable with the Service Key.