In a world where data security is the top priority (or should be), OAuth 2.0 is your best friend. No more shared passwords or “one again” access that puts your users at the mercy of hacking. With OAuth 2.0, you add a layer of security, while making life easier for everyone. And that’s classy.
In a world where data security is the top priority (or should be), OAuth 2.0 is your best friend. No more shared passwords or “one again” access that puts your users at the mercy of hacking. With OAuth 2.0, you add a layer of security, while making life easier for everyone. And that’s classy.
Quick reminder before we begin: HubSpot has said goodbye to API keys in 2022. And frankly, that’s good. For what ? Because OAuth 2.0 is safer, more flexible and (a little) less annoying to manage. But be careful, it’s not a walk in the park either. We're talking about protocols, tokens, scopes... in short, enough to make you sweat a little.
Concretely, OAuth 2.0 allows your application to request access to a HubSpot user's data without the user having to share their password. Basically, your app says to HubSpot, “Hey, can I come in?” And HubSpot says, “OK, but just for what you asked.”
Well, we know that the terms "token", "client", "server" and "scope" are not very appealing. But we're going to try to make it cool. Here are the key elements:
Before embarking on implementation, you must prepare the ground. Meet in your HubSpot developer account, and follow the guide:
Once this configuration is completed, you will get a client ID and a client secret. Keep them carefully. (No, really, don't leave them lying around in a text file called "password.txt".)
Now is the time to direct your users to the magic URL where they will give their consent. Here is an example:
https://app.hubspot.com/oauth/authorize ?client_id=VOTRE_CLIENT_ID &scope=crm.objects.contacts.read &redirect_uri=https://monappli.com/callback
And if you want to be a little flashier, add a setting state. It’s like a little note to yourself to know where the user is coming from.
Now that your user has said "OK", HubSpot sends you a authorization code via the redirect URL. This code is the key to obtaining a access token.
How to do it?
Send a POST request to HubSpot with all the correct parameters:
POST https://api.hubapi.com/oauth/v1/token Content-Type: application/x-www-form-urlencoded client_id=VOTRE_CLIENT_ID client_secret=VOTRE_CLIENT_SECRET grant_type=authorization_code redirect_uri=https://monappli.com/callback code=LE_CODE
If all goes well, you will receive a response like this:
{ "access_token": "JETON_ACCESS", "refresh_token": "JETON_ACTUALISATION", "expires_in": 1800 }
With the access token, you can finally start sending queries to HubSpot. But be careful, this is not an unlimited pass. The scopes defined at the outset must be respected.
Example API request:
GET https://api.hubapi.com/contacts/v1/lists/all/contacts/all Authorization: Bearer JETON_ACCESS
And there you have it, you have access to the requested data!
The access tokens are like milk: they have an expiration date. Typically 30 minutes. Fortunately, thanks to refresh token, you can get a new one without annoying the user.
Example request to renew the token:
POST https://api.hubapi.com/oauth/v1/token Content-Type: application/x-www-form-urlencoded grant_type=refresh_token client_id=VOTRE_CLIENT_ID client_secret=VOTRE_CLIENT_SECRET refresh_token=JETON_ACTUALISATION
OAuth 2.0 may seem intimidating, but it is an incredibly powerful tool for securing your integrations. Once mastered, it becomes second nature (like riding a bike, but without the skinned knees).
And if all this still seems too complex to you, contact if/else agency experts HubSpot. We love diving into technical challenges (and yes, even those that involve tons of tokens and scopes).