×

Hupspot API Authentication Guide

/ CRM, Hubspot / By

Hupspot API Authentication Guide

When you build integrations with Hubspot, understanding API authentication is essential for secure, reliable access to CRM data and tools. This guide walks through the main authentication methods, how they work, and how to choose the right approach for your project.

What Is API Authentication in Hubspot?

API authentication is the process that proves your app or integration has permission to access specific resources in a Hubspot account. Instead of sharing passwords, you use secure tokens and keys to identify who is calling the API and what they are allowed to do.

Every call to the Hubspot API must include some form of authentication. Without it, the platform cannot verify the identity of the caller, enforce scopes, or protect account data from unauthorized access.

Main Hubspot Authentication Methods

There are several ways to authenticate with the Hubspot API, each with different use cases and security implications. The primary methods are:

  • API keys (legacy, being sunset)
  • Private apps with access tokens
  • OAuth for public or multi-account apps

Legacy Hubspot API Keys

Legacy API keys are long strings that identify your account directly. They were historically used as a simple way to authenticate requests to Hubspot endpoints by adding a query parameter or header.

However, API keys are tied to entire accounts and do not support granular scopes, making them less secure than newer methods. Hubspot is deprecating this method and encouraging developers to migrate to private apps or OAuth.

If you still see documentation or code examples that reference a key parameter, you should plan to replace those calls with a more modern authentication approach.

Private Apps in Hubspot

Private apps are the recommended way to authenticate server-to-server integrations that run for a single account. Instead of using an API key, a private app uses an access token that you generate in your Hubspot settings.

With private apps, you can configure scopes that limit what your integration can read or write. This helps ensure your integration only has access to what it truly needs, which improves security and compliance.

Creating a Private App in Hubspot

To create and configure a private app, follow these general steps in your account:

  1. Go to Settings > Integrations > Private Apps.
  2. Select the option to create a new private app.
  3. Give the app a clear name and description.
  4. Choose the specific scopes and permissions required by your integration.
  5. Save and generate an access token.
  6. Store the token securely in your environment (for example, as an environment variable or in a secret manager).

After these steps, you can use the token in HTTP headers to authenticate API requests.

Using a Hubspot Private App Token

When calling the API with a private app, include the token as a bearer token in the Authorization header:

  • Authorization: Bearer YOUR_PRIVATE_APP_TOKEN

This header must be sent with every request you make to the Hubspot API. The platform then checks the token, verifies the scopes, and either allows or denies the request based on the permissions you configured.

OAuth in Hubspot for Public Apps

OAuth is designed for apps that need to connect to multiple Hubspot accounts or that are listed in an app marketplace. Instead of sharing a single token, each customer authorizes access to their own account and receives a dedicated token for that connection.

With OAuth, users see a consent screen that explains what data and actions your app is requesting. After they approve, your integration receives short-lived access tokens and longer-lived refresh tokens.

How the Hubspot OAuth Flow Works

A typical OAuth flow with Hubspot looks like this:

  1. Your app redirects the user to a Hubspot authorization URL with your client ID and requested scopes.
  2. The user logs in (if needed) and reviews the requested permissions.
  3. The user grants or denies access.
  4. If granted, Hubspot redirects back to your redirect URI with an authorization code.
  5. Your server exchanges the authorization code for an access token and refresh token.
  6. Your app stores the tokens securely and uses the access token in the Authorization header for future API calls.

When the access token expires, your integration can use the refresh token to obtain a new one without requiring the user to authorize again, as long as the refresh token remains valid.

Choosing the Right Hubspot Auth Method

The best authentication approach depends on how your integration interacts with Hubspot and who will use it. Below is a simple way to decide:

  • Private app tokens are ideal for server-side tools that connect to a single Hubspot account, such as internal reporting dashboards or custom back-office automation.
  • OAuth is ideal when you build a public app or SaaS integration that many different customers connect to their own accounts.
  • Legacy API keys should be replaced with private apps or OAuth to align with current Hubspot security standards.

Common Hubspot Use Cases

A few scenarios illustrate the typical choices:

  • Single company using in-house scripts: Use a private app with scoped access and keep tokens in secure storage.
  • Third-party SaaS platform: Use OAuth so each customer can connect their Hubspot account with granular consent.
  • Migration from API keys: Create a private app, match scopes to your existing functionality, swap authentication in code, and remove the legacy key.

Best Practices for Secure Hubspot Integrations

Regardless of which authentication method you use, follow these practices to keep your Hubspot integration secure and reliable:

  • Never hard-code tokens in source control. Use environment variables, vaults, or secret managers.
  • Limit scopes. Request only the permissions your integration truly needs.
  • Rotate tokens periodically. Regenerate private app tokens and update stored credentials when required.
  • Use HTTPS everywhere. Ensure all traffic to Hubspot endpoints goes over TLS.
  • Handle errors gracefully. Detect expired or invalid tokens and re-authenticate when necessary.

Monitoring Your Hubspot API Usage

Monitoring is an important part of keeping your integration healthy. You can:

  • Track API quotas and rate limits for each token.
  • Log requests and responses for troubleshooting (omitting sensitive data).
  • Watch for unusual patterns in traffic that might indicate misuse.

By keeping detailed logs and metrics, you can quickly detect authentication problems and correct them before they disrupt your connection to Hubspot data.

Further Learning and Helpful Hubspot Resources

To deepen your understanding of authentication and stay current with platform changes, review the official documentation and security announcements. You can start with the detailed overview in the original guide at this Hubspot API authentication article.

If you are planning a larger integration project or need help with complex SEO and technical implementation around Hubspot, consider consulting specialized agencies. For example, Consultevo offers strategic guidance on integrations, automation, and search optimization.

Summary: Implementing Hubspot Authentication Safely

Modern authentication with Hubspot focuses on scoped, token-based access rather than broad account-wide keys. Private apps support secure, single-account integrations, while OAuth enables multi-tenant and public apps with explicit user consent.

By choosing the right method, limiting scopes, securing tokens, and monitoring usage, you can build integrations that take full advantage of Hubspot APIs while protecting your users and their data.

Need Help With Hubspot?

If you want expert help building, automating, or scaling your Hubspot , work with ConsultEvo, a team who has a decade of Hubspot experience.

Scale Hubspot

“`

Verified by MonsterInsights