Managing API Calls Server-Side on HubSpot with Serverless Functions (and Their Limits)

Making API calls on the server side with HubSpot is not only possible - it’s actually recommended when you want to secure your requests, avoid exposing secrets on the client side, or execute more complex business logic.
Since the arrival of serverless functions on the HubSpot CMS, the possibilities have expanded dramatically… but they’re not without constraints.

Are you a HubSpot developer, tech lead, or marketing integrator?
Looking to connect HubSpot to an external system without opening too many doors on the front end?
This article walks you through exactly what you can do, how, and especially how far you can go before hitting the real limits of the platform.

Why Make API Calls Server-Side on HubSpot?

Data Security and Front-End Exposure: A Risk to Avoid

Running API calls through the browser potentially exposes authentication secrets (tokens, API keys) or leaves parts of your business logic visible and editable.
That’s not only a security issue - it’s also a clear GDPR risk if sensitive data is involved.

Serverless functions instead execute your code server-side, in an isolated and secure environment, without exposing anything to the client.

Common Use Cases: CRM Enrichment, Data Sync, Advanced Forms

This model fits perfectly with several key use cases:

• CRM enrichment: call a third-party API (Clearbit, Societeinfo…) to automatically complete a contact record.

• Data synchronization: connect HubSpot to an ERP, business database, or analytics tool.

• Advanced forms: validate dynamic fields, transform responses, or trigger custom processes upon submission.

The benefit is clear: more power, flexibility, and security - all while staying within HubSpot’s ecosystem.

Serverless Functions on HubSpot CMS: How They Work

Definition and General Operation

HubSpot serverless functions let you execute JavaScript server-side, directly within HubSpot’s environment.
That means you can perform API calls, handle sensitive data, or integrate external services without ever exposing logic or secrets on the client side.

Functions execute on demand when an endpoint is called from your site or app - with no server maintenance or backend deployment.
A lightweight, fast, and fully integrated system within HubSpot CMS.

Creating a Function: Structure, Key Files, and Deployment

A serverless function lives in a small .functions folder with three essential files:

• function.js: your JavaScript (Node.js) code

• serverless.json: function configuration (path, name, secrets, endpoint)

• package.json (optional): dependency management if you’re using a developer project

Two creation methods exist:

1. Via the Design Manager (legacy method): limited, no third-party dependencies

2. Via a developer project (recommended): add NPM packages, manage functions locally, and deploy with the CLI

Once your function is ready, it’s exposed at a specific URL and can be called from a module, form, or front-end action.

Secure Authentication via Private App or Secrets

To authenticate your API calls within a serverless function, two options:

• Private app token: ideal if you’re developing through a developer project

• HubSpot Secrets: create and reference them in serverless.json to secure an API key or token

⚠️ Never return a secret in your response or log it with console.log.
Even server-side, data security remains top priority.

API Calls in Serverless Functions: What You Should Know

Standard Use: fetch / axios on the Server Side

In a HubSpot serverless function, you can use fetch (available by default) or axios (via package.json in a developer project) to make API calls.
Perfect for:

• sending data to a third-party system after a form submission,

• retrieving enriched data to inject dynamically into the CMS,

• automatically updating CRM records.

Because it’s done server-side, your API keys or tokens never travel to the browser.

Respecting HubSpot Quotas: Avoid 429 Errors

Each account is subject to strict API call quotas (per second and per day), depending on subscription level and app type (private or public).
If you exceed them:

• HubSpot returns a 429 (Rate Limit Exceeded) error,

• execution fails, and data isn’t processed.

Best practices:

• always handle errors (try/catch) and plan a fallback,

• monitor your consumption via logs,

• spread out calls over the day if possible.

Smart Alternatives: Webhooks, Cache, HubDB

To reduce API pressure:

• Use webhooks: with HubSpot workflows, you can send data automatically without going through a serverless function.

• Store data in HubDB: a temporary CMS-side cache, great for avoiding repeated calls to the same external API.

• Generate static files when possible: for rarely updated data, pre-generated content avoids dynamic calls.

These strategies keep your API calls targeted, efficient, and within allowed limits.

Technical Limits of HubSpot Serverless Functions

Performance and Execution Constraints

HubSpot serverless functions are designed for light, fast processes - with strict limits:

• Max execution time: 10 seconds per function

• Allocated memory: 128 MB

• Max payload: 6 MB per call

• Total execution time: 600 seconds per minute (shared across all account functions)

Beyond these thresholds, the function fails and returns a 429 error.
This can be problematic for complex or heavy processes.

No Multi-File Imports/Dependencies

Serverless functions can’t import multiple JS files. All code must live in a single file.
This limits:

• modular code structuring,

• large third-party libraries (unless bundled via Webpack in developer projects),

• function reusability across projects.

Result: your code can quickly grow long and hard to maintain if not well organized.

Debugging Isn’t Always Smooth

Debugging on HubSpot isn’t as fluid as in a local environment:

• Logs are available, but with slight delay.

• No live console: you must read traces through the UI or CLI.

• Error details are sometimes vague - especially for quota or secret-related issues.

💡 Tip: use console.log() strategically and consistently to ease debugging.

When to Use (and Avoid) Serverless Functions

Best Use Cases

Use serverless functions if:

• You need to secure an API call without exposing sensitive data on the client (e.g., third-party API key).

• You want to interact with the CRM or HubDB directly from a CMS form or dynamic page.

• Your use case is quick and simple: data transformation, validation, light enrichment, etc.

• You want to avoid managing an external server - functions are hosted by HubSpot.

• Your function is called on demand (e.g., button click) with minimal site performance impact.

When to Avoid Them

Avoid serverless functions if:

• Your process takes more than 10 seconds or requires chained API calls.

• You need to handle large datasets or multiple complex modules.

• You can’t store secrets securely (e.g., outside a developer project).

• You need real backend logic with multiple routes, persistence, or queues.

• Your app depends on specific libraries hard to bundle into a single .js file.

In those cases, an external API layer (Node.js server, Firebase backend, or AWS Lambda) will often be a better fit.

Our Tips for Reliable, Long-Lasting Serverless Functions

• Start small, test often: one function = one clear goal. Avoid tangled logic that’s hard to maintain.

• Reduce load on HubSpot: cache data when possible. Fewer calls = more reliability.

• Monitor logs regularly: HubSpot provides detailed logs - use them. They’re key to spotting silent errors.

• Centralize secret management: always use secrets for tokens. Never hardcode keys.

• Respect API quotas: group calls, use batch endpoints, avoid unnecessary requests.

• Plan a fallback: in case of failure, have a plan B (message display, static data, etc.).

• Think ahead: needs evolve. Design modularly from the start for easy iteration.

With these best practices, your serverless functions won’t just be “deployed” - they’ll be reliable, scalable, and genuinely useful.

Need help? Call on an expert Hubspot Agency!