Method to authenticate an application (instead of a user) using OAuth2 protocol


Is there a method to authenticate an application (instead of a user) to communicate with HubSpot APIs using OAuth2 protocol or the only way is using the hapikey?


@avomot Yes! Using OAuth2 as you mentioned above.


Hi Peter,

Thank you for the quick response.

What we are trying to obtain is sync our database with HubSpot.
When a contact is updated in the external database we want to update the same contact inside HubSpot automatically. What is the best method of authentication in this case?

Looking at this answer your colleague David Adams gives here: OAuth via batch not interactive makes me think we have to use the API key authentication as we don’t have a human that can click and accept.

Any advice?


@avomot For your specific use case I would follow David’s advise and use the API key for persistent automated calls to sync your database with HubSpot.


Thank you, Peter! I really appreciate your help :slight_smile:


Hi, I have the same use case as Avomot. We’re just syncing our DB with hubspot. I see that I can use an API key, but putting an API key in the query params is highly insecure, and opens up an attacker to gaining access to all of our Hubspot contacts. I suppose we could theoretically do OAuth, but we really aren’t the use case for OAuth here. This is just a user wanting to have programatic access to their own account.
There will never be any outside customers that use our “integration”. We’re just updating our own Hubspot account with our own data. We’d just like to do so securely.

What do you recommend? Thanks! - Blake


@Blake_West OAuth is definitely a more secure way of handling the http calls. You will have to hold on to the refresh token in memory and handle refreshing your access token every 6-8 hours to prevent getting a 401 error


@pmanca thanks for the info. I guess we’ll have to do that, though I must say this feels like overkill for our use case. Accepting API keys through custom headers (and/or Basic Auth headers) is standard API practice, and would make this use case significantly easier to implement. It seems other companies have this use case too, so I think it would be a great quick win for your API. Thanks - Blake


You can and should use OAuth2 when authenticating an application.

The thing to know/remember is that the “Refresh Token” does not expire. You need to get this once and then store it. From there you can get new “Access Tokens” as needed, because these do expire.
Use the ‘expires_in’ field from the response in the call to get the refresh token or the call to get a new access token to know how often to refresh the access token.


OAuth via batch not interactive

I think root cause here is that the current OAuth2 implementation by HubSpot doesn’t allow for the client credentials grant type ( Anyone know if HubSpot plans to change this or move the specification of API key from query string to HTTP header?