HubSpot Sunsets API Keys: What Does It Mean for the Developers?
By Ayushi Rana
Nov 7, 20227 min read
API keys have been one of the three methods of authentication on HubSpot among OAuth and private app access tokens. As a part of ongoing effort to boost cybersecurity and protect customers’ data, HubSpot has decided to sunset the API keys. Yes that’s correct, HubSpot announced on June 1, 2022 that it will phase out API keys by November 30, 2022.
Businesses will now need alternate solutions for authenticating and authorizing applications and their custom integrations, such as, private apps. In this blogpost we will explore what does API keys sunset means for you, why the change, and what you need to do. But first,
What Are HubSpot API Keys?
Application programming interfaces or APIs allow software programs to communicate, share data and integrate their functionalities with each other. API’s facilitate conversations between disconnected software. But unlike face-to-face conversation it is difficult for an API to verify whether it is talking to who it claims to be. This is where API keys step in.
HubSpot API keys enable account security by automatically identifying and authorizing projects and applications, while limiting API access to those with an API key. In other words, API keys act like an ID card for the client making an API request, helping APIs assign complete access permissions to measure and track how their data is being used.
The only drawback of using API keys is that they function like passwords. If a hacker were to get his hands on your API key, they will have access to your sensitive data and personal information. This is one of the reasons why HubSpot decided to make the move of removing API keys.
How Will This Change Impact Developers?
Once API keys are completely phased out, HubSpot will no longer authenticate custom integrations or those built around API keys. Users who previously developed using API keys will now be required to migrate existing integrations from API keys to private apps or HubSpot Public Apps using OAuth 2.0 instead.
Why This Change? - Increased Security Through Private and Public Apps
Unlike API keys where all HubSpot integrations share the same password, private and public apps allow you to set up distinct and separate static access tokens for each integration. Private access tokens are also scoped so that you can control access to each integration to your HubSpot account. This gives you a greater control over how users access and process business data.
Private apps are not much different from API integrations. The only main difference is that they use a static access token in the authorization HTTP header instead of the API request using a query parameter to authorize API request. In simpler terms it is the difference between giving all users super admin access , as in API keys, and selecting user permissions and privileges, as in private and public apps.
Private apps are mostly used for a single HubSpot account on the other hand you can use public apps for multiple HubSpot accounts.
Migrate Existing App Integrations to Private Apps
Your API key provides both read and write access to your HubSpot CRM data. This can pose a security risk if your API key is compromised. By switching to a private app, you may approve the precise scopes that your integration needs, creating an access token that restricts the information that your integration can access or modify in your account.
Follow these steps to migrate your existing app integrations:
- Create a Private App
- Click the settings icon in the main navigation bar of your HubSpot account.
- Go to Integrations > Private Apps in the menu on the left.
- Click on create a private app
- Configure the information about your app on the Basic Info tab:
- Name your application now.
- To upload a square picture that will be used as the logo for your app, hover your cursor over the placeholder logo and click the upload icon.
- Give your app a description here.
- On the Scopes tab, click.
- Then, based on the APIs that your integration utilizes, choose the scopes to authorize. Which scopes your app needs can be determined by:
- List the HubSpot APIs that your current integration utilizes.
- Navigate to the relevant developer documentation for each API request (the contacts API).
- Scroll to the endpoint that your integration uses, then click the Endpoints tab.
- Find the scopes needed to use the endpoint under the Requirements section. You should choose the scopes indicated under Granular scopes whenever possible instead of those listed under Standard scopes. If no granular scopes are listed, it is better to use the standard scopes.
- Select the Read or Write checks next to the appropriate scopes in the private app's settings. Using the Find a scope search field, you may also look for a scope.
- Click Create app in the top right when you have finished choosing your scopes. After you've created your app, you can always make modifications to it.
- Review the information regarding the access token for your app in the dialogue box, then click Continue Creating.
With a new private app created, you can start making API requests using access tokens.
- Update the Authorization Method of Your Integration's API Request
- Private app access tokens are included in the Authorization header of your request instead of a hapiKey query parameter. Set Bearer YOUR_ACCESS_TOKEN as the Authorization header value when submitting a request.
- You can use one of HubSpot's client libraries to make authorized calls with your access token because private app access tokens are implemented on top of OAuth.
- Remove all citations to the HubSpot API key from your code and switch to using your private app's access token as described above to finish the migration to your private app.
- Instead of hard coding your token into your queries, you might prefer to establish a secret to store it, depending on the request you're making.
- When using a token in a serverless method, for instance, using a secret will stop your token from being made public.
- Verify Requests and Monitor Logs
- No other code alterations are necessary after you've deleted all references to the HubSpot API key and changed them to references to your private app's access token.
- Monitor your private apps’ APIs call logs and make sure that none of them returned 400 error messages.
Conclusion: Don’t Let the Sun Set for Your HubSpot Account
Businesses using custom integrations with API keys have until November 30, 2022, to ensure that they are not affected in any way by HubSpot sunsetting API keys. You have two options: either migrate your keys yourself or have a HubSpot Platinum solutions partner do it for you.
Our experts at Growth Natives have experience creating custom integrations for your HubSpot account and successfully ensured data confidentiality for our customers with our innovative techniques. If you would like to know more information, you can talk to us at firstname.lastname@example.org.