API Limit Security Concern



Our security team has a question on the 10,000 requests per day limit. Their concern is that an attacker can submit 10,000 requests through our HubSpot form and block out other users from submitting requests.

Has this ever happened? Are there measures in place to restrict this activity?



Hi Allen,

The 10k API limit actually doesn’t apply to the endpoints that don’t use the oauth token or hapikey. So it doesn’t really apply to the forms or events endpoints.

This means that an attacker would have to know your access token in order to push you over the limit.

With that said, we are currently working on adding limits to Forms specifically. Currently we have run into issues where integrators pushing a large number of forms into the API has caused reliability problems. We’ll communicate more details around this Forms-specific limit as we put it together.