Hiding client id and secret for an external API


Hey HubSpot Developers,

I'm looking to implement an address checker on a single HubSpot forms field. To do this, I am currently using the NZPost API to make dropdown suggestions and lookups. I have a working prototype on my own machine, however I have found a bit of a flaw with the implementation.

Everytime the user makes a request, they can easily see what the client id and secret is from any web inspector. I don't want anyone coming to this site, picking this up, and abusing the max request limit with these parameters, so I'm wondering if there is a way of hiding the client id and secret from users, whilst still being able to make requests. Is this possible?



Hi @andrewv86,

It's not ever secure to include private authentication details (e.g. API key, client secret, etc.) in a frontend application. Doing so will always expose these details in one form or another. What you'll need to do is proxy the requests from your frontend Javascript through a server that can process the request and make authenticated requests to this 3rd party service.


Thanks for the response @Derek_Gervais,

Is there a way to implement a proxy through hubspot? Or is that something that can be only achieved from having a private server on, say, AWS or GCP?


Hi @andrewv86,

That's a good question; currently, it's not possible to do this in HubSpot. You'll need to use an external hosting service.