How do you get OAuth API token without redirecting to a new URL?


Our integration will interact with the API strictly behind-the-scenes. Is there a way to get an OAuth API token without using a redirect? A redirect will not work for our integration.


A little more detail: Our integration is only for our company, not for our users. We have a system that captures client details that we want to synchronize to HubSpot to ensure we have the same data in both systems. All of the synchronization should happen behind-the-scenes through API calls.

The gist is that we want to authorize our external app, not our individual users. So how do we get an authorization token without the redirect_uri parameter? Can we generate it with the secret on our own using OAuth libraries?



If you are building an internal app that doesn’t need scoping for individual users, I would recommend using your HAPI key instead.


API calls to HubSpot

Okay. I can do that. I was under the impression that it was for testing and that production releases should use OAuth. Is it still okay to use the HAPI key in production in this instance?


@jmoulton if you are building the integration solely for singular use with your portal, it’s fine to use the HAPI key in production.



Just like to add a question to this topic.

If the API key is what we are going to use. How can i integrate with Timeline Event Creation? It requires me to use the token. Any comment on this?

Here’s the API call

Thanks in advance.


We have a similar scenario. We’re using the API for an internal app, but we’d like to be able to use the identify_visitor endpoint (

Since this call would have to be made on the front-end using JavaScript (I assume) instead of the back-end, like most of the other parts of our integration, wouldn’t using the hapi key for that be a security risk?

Are there ways to identify a visitor that wouldn’t involve exposing the hapi key?


@Jacob - when using the ‘identify visitor’ call of the Tracking Code API, you don’t need to make an authenticated call. This JS function is consumed by the HubSpot Tracking Code (so, the JS tracking code needs to be on the page if using the JS identify call). It’s a way of connecting the browser cookie set by the tracking code to a specific contact, as known by their email address.


Aaaaaah! Thanks so much, @Robert_Ainslie!


Hi @jcenteno, do you have any updates? Have you solved your problem? Thanks!