There's a new version of the HubSpot API

Check out the new API
View Beta Docs

We're also working on a new documentation website, you're invited to check it out and give us your feedback.

Get OAuth 2.0 access and refresh tokens

Last updated January 7, 2025

POST /oauth/v1/token

Method Details

HTTP Methods:

POST

Content Type:

application/x-www-form-urlencoded

Response Format:

json

Requires Authentication?

Yes

Rate Limited?

Yes

Headers

User-Agent

Products:

Marketing & CRM

Use the code you get after a user authorizes your app to get an access token and refresh token. The access token will be used to authenticate requests that your app makes. Access tokens are short lived, so you can use the refresh token to get a new access token when the current access token expires.
Note: HubSpot access tokens will fluctuate in size as we change the information that is encoded. We recommend allowing for tokens to be up to 300 characters to account for any changes.
Required parameters How to use Description
Grant type  grant_type=authorization_code
Used in the request body		 The grant type of the request, must be authorization_code for the initial request to get the access and refresh tokens.
Client ID client_id=x The Client ID of your app.
Client secret client_secret=x
Used in the request body		 The Client Secret of your app.
Redirect URI  redirect_uri=x
Used in the request body		 The redirect URI that was used when the user authorized your app. This must exactly match the redirect_uri used when initiating the OAuth 2.0 connection.
Code code=x
Used in the request body		 The code parameter returned to your redirect URI when the user authorized your app.

About

Jobs

Learn Inbound

Support

Locations

HubSpot, Inc.
25 First Street, 2nd Floor
Cambridge, MA 02141
European Headquarters
Ground Floor, Two Dockland Central
Guild Street, Dublin 1
Asia/Pacific Office
20 Hunter St, Level 7
Sydney NSW 2000
View our other locations
POST URL: https://api.hubapi.com/oauth/v1/token Headers: Content-Type: application/x-www-form-urlencoded;charset=utf-8 Data: grant_type=authorization_code&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy&redirect_uri=https://www.example.com/&code=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz If successful, you will receive a JSON response with the tokens: { "access_token": "xxxx", "refresh_token": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy", "expires_in": 21600 } If there are any problems with the request, you'll receive a 400 response with an error message. { "status": "EXAMPLE_ERROR_CODE", "message": "A human readable error message", "correlationId": "da1e1d2f-fa6b-472a-be7b-7ab9b9605d59", "requestId": "ecc0b50659814f7ca37f5d49cdf9cbd3" }