Events HTTP API Security


Hi, I’m reading through the API documentation, focusing on the tracking code API, and have a few questions regarding security.

The HTTP Tracking API page mentions the endpoint is not rate limited and unsecured. If I were a malicious player, what would stop me from bruteforcing the HubID or the EventID? The documents mention that a string can be passed in EventID and the system will automatically create the event. Isn’t that prone to abuse? At the very least, it could skew our metrics.

Also, the contact email address parameter exhibits the same behaviour. If someone spams this endpoint with multiple emails, wouldn’t those emails be registered as new contacts? Also, wouldn’t that affect the user’s billing?

Thanks for the suport.


Hi @dsosa,

We have various anti-spam and anti-DDoS protections that protect against malicious activity for all APIs, including un-authed endpoints like the Events API. Additionally, you can delete events in HubSpot if you’re looking to prevent additional completions of the event. If you’re seeing any activity that you believe to be malicious, we can work with security to find a solution.