Is there a way to gate certain parts of the Contacts API? How do I keep my data safe

contacts

#1

Hi there,
We have some outside developers working on a web app that we’d like to feed customer data into our Hubspot portal. My exec team has decided that our business intel is too valuable to let our devs have carte blanche with the contact data.

Is there a way to limit certain aspects of the API integration? Is there a way to make sure they don’t just issue a get command to our entire contact base and make off with our painstakingly researched and built lists?

I had previously told the execs that if they have OAuth or API key access - they have it all. Is this true?

EDIT: It would be really great if we could limit their authorization scope to only ‘Contact Properties API’ is there a way to do this?


#2

Hi @grant_foster,

You’re correct; if they’re using your portal’s API key for authentication, it’s not possible to limit their access to specific APIs. If they’re using OAuth to authenticate, they can limit the scopes they request to the contacts scope, which includes Contacts, Companies, and Deals, along with the associated property APIs, Engagements API, and Owners API. It’s not currently possible to limit this access further (to just the contact properties API, for example). The following developer document covers these scopes: