Skip to main content

There are two ways to authenticate calls to HubSpot's APIs: OAuth, and private app access tokens. Below, learn more about each method and how to include it in your code for authorization.

If you were previously using an API key to authenticate, learn how to migrate to using a private app access token instead.

To make a request using OAuth when building a public app, include the OAuth access token in the authorization header:

Similar to OAuth, to make a request using a private app access token, include the token in the authorization header:

To protect developers from potential security incidents, HubSpot leverages the monitoring and secret scanning capabilities provided by GitHub to detect any HubSpot authentication tokens that are publicly exposed in GitHub repositories. Any detected tokens will automatically be deactivated, and you will be notified via email and in-app notification so you can generate a new token and update your integrations to replace the revoked token.

revoked-access-token-in-app-banner

The affected key and token types are listed below:

The automatic deactivation process will be mandatory on April 7, 2025. If you want to opt-in to this feature proactively, you can opt your account into the beta by following the instructions in this Knowledge Base article.


Working with OAuth

OAuth Quickstart Guide

Private Apps