Please note: as of November 30, 2022, HubSpot API keys are no longer a supported authentication method for accessing HubSpot APIs. Instead, you should use a private app access token or OAuth to authenticate API calls. Learn more about this change and how to migrate an API key integration to use a private app instead.

There are two ways to authenticate calls to HubSpot's APIs: OAuth and private app access tokens access tokens. 

When building an integration, keep the in mind that integrations designed for multi-customer use or listing on the App Marketplace must be built as an app using HubSpot’s OAuth protocol

Unless documentation for a specific endpoint says otherwise, all endpoints support both OAuth and API keys. Below are examples of the same cURL request using each authentication method. Aside from authentication, the requests are identical and would return the same results.

In each example, the request is being made to this endpoint (documented here):

GET https://api.hubapi.com/contacts/v1/lists/all/contacts/all

Using OAuth 2.0, which uses the Authorization header:

➜ /~curl --header "Authorization: Bearer C4d***sVq" 
 https://api.hubapi.com/contacts/v1/lists/all/contacts/all

Using a private app access token, which uses the Authorization header:

➜ /~curl --header "Authorization: Bearer ***-***-*********-****-****-****-************" 
https://api.hubapi.com/contacts/v1/lists/all/contacts/all

Once you've created your account and have OAuth credentials, check out initiating OAuth and this Quickstart guide.