There's a new version of the HubSpot API

As of November 30, 2022, HubSpot API keys are no longer a supported authentication method for accessing HubSpot APIs. Instead, you should use a private app access token or OAuth to authenticate API calls. Learn more about this change and how to migrate an API key integration to use a private app instead.

OAuth 2.0 Overview

Authentication for your integration starts with creating an app in a HubSpot developer account. You'll use the client ID and client secret from that app to initiate the OAuth handshake between HubSpot and your integration.

Note: If you're just getting started with building on HubSpot, we strongly recommend checking out the OAuth 2.0 Quickstart Guide. This guide will quickly get you up and running with a working example app.

Scopes

OAuth 2.0 allows a user to authorize your app to work with specific tools in their HubSpot account, designated by the authorization scopes you set. You can find more details about the available scopes and the tools they provide access to here.

Connecting your app to HubSpot using OAuth 2.0

 There are four main steps to connect your integration with a customer's HubSpot account using OAuth:

Note: Your app will not appear as a connected app in the integration settings unless you complete the first two of these steps. You must generate the refresh token and initial access token to have the app appear as connected.

  1. Build the authentication URL for your app, and send the HubSpot user to that URL. The user will be presented with a screen that allows them to grant access to your integration.  If a user has multiple HubSpot accounts, they'll have the option to choose which account they're granting access for.
  2. After the user grants access, they'll be returned to your app, with a code appended to the URL. Use that code and your client secret to get an access_token and refresh_token.
  3. Use that access_token to authenticate any API calls that you make for that HubSpot account.
  4. Once that access_token expires, use the refresh_token from Step 2 to generate a new access_token.

Docs for this section or API