HubSpot API Authentication and App Setup: The Foundations That Prevent Pain
There is a truth almost every integration developer learns the hard way: most of the problems that show up down the line are born from a decision made at the very start, in authentication. The wrong token, one scope too many, the secret in the wrong place. These choices look like details in the first week and become a nightmare at the first incident.
That is why it is worth spending thirty minutes understanding HubSpot API authentication well before writing the first call. It is the highest-return investment of the whole integration. Getting it right here spares you the scope 403, the token leaked in a log, and the pain of revoking a credential spread across six different integrations. In this guide, I will cover the foundations that hold everything up: the credential types, scopes, tokens, and the security that cannot be skipped.
The first decision: which credential to use
HubSpot has more than one way to authenticate now, and choosing the right one at the start avoids heavy rework later. The choice comes down to two questions: how many portals will use the integration, and which features it needs. The old API Keys (hapikey) were sunset in 2022, so they are no longer an option. The credentials you actually pick from are these.
- Private app (static token): serves a single portal. You create it in that portal's settings, it gets a fixed token, and that token defines exactly which portal the calls affect. It is the simplest path for internal integrations and is fully supported.
- Account service keys (beta): a scoped static key for direct REST calls, managed under Development, Keys. Quick to set up, but it cannot authenticate webhooks or UI extensions.
- OAuth apps: for applications that many different portals will install, with a consent flow and access tokens that renew over time.
- New developer platform apps (built with the HubSpot CLI): configuration as code, authenticated by a static token or OAuth. This is what you need when the integration requires webhooks, app cards, custom workflow actions, or serverless functions.
The rule of thumb: a single portal calling only REST APIs, a private app or a service key; many portals, an OAuth app; anything that needs webhooks or other app features, an app on the new platform. Getting this wrong is expensive, because starting with a private app and later needing to distribute to many portals means rewriting the entire authentication layer. So before any code, answer honestly: how many portals will this integration serve, and which features does it need?
Scopes: the principle of least privilege in practice
Each token receives scopes, which are permissions organized by area and by action. The crm.objects.contacts.read scope allows reading contacts, and crm.objects.contacts.write allows writing them. There are dedicated scopes for companies, deals, automation, forms, and so on. The principle that should guide the choice is least privilege: grant the token only the scopes its specific task requires, and nothing more. A token whose job is to extract data for reporting or a data warehouse should have only read scopes, never write. This discipline is not bureaucracy, it is your main safety net, because it limits the damage if the token falls into the wrong hands.
Why separating read from write matters
Mixing read and write in a single token to make things easier is a common mistake that charges its price later. A read token that leaks lets someone see your data, which is already bad. A token that also has write lets someone change or delete your records, which is catastrophic. Splitting the functions into different tokens, with minimal scopes in each, turns a serious incident into a manageable one. And, as a bonus, it makes auditing easier, because each token tells a clear story about what it can and cannot do.
How to send the token on each call
Whether it is a private app, a service key, or OAuth, the token travels in the authorization header, as Bearer, on every request. The base of all calls is the same, and the affected portal is set by the token, not by the URL, which reinforces why the token is the most sensitive item in the whole operation.
|
Authorization: Bearer <access_token> Content-Type: application/json |
In OAuth apps, there is one more layer. The access token is short-lived and needs to be renewed periodically using the refresh token. Treat that renewal as an integral part of the integration, not a detail. An OAuth integration that does not handle token renewal well simply stops working when the access token expires, usually at the worst time. Static credentials, a private app token or a service key, do not expire on their own, but you should still rotate them on a schedule.
Rate limits and versioning enter the picture early
Authenticating is the first step, but two adjacent factors need to be on your radar from the design stage. The first is rate limits: each portal has a daily and a burst ceiling, which vary by subscription, and the Search API has its own, lower limit. The second is versioning: since March 2026, HubSpot uses date-based versioning, with URLs like /2026-03/ and breaking changes only twice a year, in March and September. The legacy v1 to v4 paths still work, but v4 becomes unsupported on March 30, 2027, so pin a version and follow the changelog. Thinking about these two factors from the start is cheaper than discovering them in production.
Token security, no exceptions
The token gives direct access to the portal, so treating it as the operation's most valuable secret is priority number one. The practices below are not optional, they are the minimum that separates a responsible integration from an incident waiting to happen.
- Store it in a credential vault. Token only in a vault: the Postman Vault, the n8n or Make manager, protected environment variables. Never in a collection body, a URL, a log, or a code repository.
- One token per integration. This lets you revoke one without taking down the others and makes it easier to audit the source of each action.
- Rotation and revocation. Rotate tokens periodically and revoke immediately when someone leaves the team or there is any suspicion of a leak. Account service keys have a recommended rotation cadence of about six months.
- HTTPS only. All calls use the secure base. Never call over an unencrypted channel.
- Data minimization. Extract only the properties the task requires, so you do not move personal data without need.
- HubSpot deactivates exposed tokens. Since October 2024, HubSpot automatically deactivates tokens it finds publicly exposed, for example in a GitHub repository, and notifies the account. Treat it as a last-resort safety net, not a reason to relax.
|
A tip from someone who has been burned: the worst place for a token is a code repository. Once it enters the version history, even if you delete it later, it stays in that history forever. If that happens, the only correct response is to revoke the token immediately and generate a new one. Deleting the file does not solve it. |
Why this matters for your operation
Authentication looks like a purely technical subject, the kind that only interests whoever writes the code. It is not. The way you authenticate defines the risk the whole operation runs. A token with scopes that are too broad, stored in the wrong place, is an open door to your CRM, which usually holds the company's most sensitive data: contacts, deals, customer history. If that token leaks, the damage is not a bug, it is a security incident and, depending on the data, a compliance issue.
Thinking carefully about authentication is, at heart, protecting the revenue operation's most valuable asset: the customer relationship base. It is not technical overkill, it is responsibility to the business. An integration that starts with well-designed authentication rarely becomes an internal headline over a leak. One that starts careless on this point is just a matter of time.
Common mistakes that charge the price later
Some habits look like innocent shortcuts at the start and become serious problems later. The most common is the one-credential-for-everything, used by several integrations at once, which makes it impossible to revoke one without risking taking down the others. Another is pasting the token straight into an automation flow or the code, instead of referencing it from a vault, leaving the secret exposed to anyone with access to the flow. A third is never rotating tokens, leaving a credential alive for years, long after the people who created it have left.
Avoiding these does not require anything sophisticated, only discipline from day one. One token per integration, minimal scopes, the secret in a vault, and periodic rotation. Four simple habits that turn authentication from a fragile point into a solid base the rest of the integration can grow on with peace of mind.
In practice: the credential that was everywhere
An operation had a single HubSpot credential used by every integration, pasted into a few flows and stored in a shared spreadsheet. It worked, until the day a contributor left and nobody knew exactly where that token was in use. Revoking it meant risking taking down critical processes without knowing which ones. The team was held hostage by its own credential.
The reorganization was to split authentication by purpose: one token per integration, each with minimal scopes, all stored in a vault. From then on, revoking one stopped being a traumatic event, because it became clear what each token reaches. What looked like a simplification at the start, one credential for everything, was actually a ticking time bomb.
Checklist of well-built authentication
- Did you choose the credential type by the number of portals and the features you need, remembering that webhooks require an app?
- Does each token have only the minimal scopes for its task?
- Are read and write split into different tokens where it makes sense?
- Are the tokens stored in a vault, never in code or logs?
- Is there one token per integration, for independent revocation?
- In OAuth, is access token renewal implemented and tested?
- Is there a rotation policy and immediate revocation on departure or leak?
Frequently asked questions
Which credential should I use, private app, OAuth, or a service key?
Private app to integrate a single portal internally, or an account service key for simple, scoped REST calls. OAuth for apps that many portals will install. And if you need webhooks, app cards, or other app features, build an app on the new developer platform. The number of portals and the features you need decide.
What happens if I give the token too many scopes?
The token works, but the risk grows: if it leaks, it grants access to much more than it needed. Follow least privilege and grant only the scopes for the task.
Where do I store the token securely?
In a credential vault: Postman Vault, the n8n or Make manager, or protected environment variables. Never in a collection body, URL, log, or code repository.
Do I need to renew the private app token?
The private app token is fixed and does not expire on its own, but rotate it periodically for security, and account service keys have a recommended six-month rotation. The OAuth access token is short-lived and must be renewed via the refresh token.
Why use one token per integration?
To be able to revoke one without taking down the others and to audit the source of each action clearly. A single credential for everything becomes a single point of failure and risk.
What do I do if a token leaks?
Revoke it immediately and generate a new one, updating it in the integrations that use it. If it entered a repository's history, deleting the file is not enough: revocation is mandatory. HubSpot may also auto-deactivate a publicly exposed token, but do not count on that.
Ready to take your operation to the next level?
Talk to a specialist and see how we can help.