In my web app (running inside the browser), I’m calling /auth/v1/refresh REST api to get a new access token. However, it fails with the following error message in Chrome:
Below is my request header:
Accept:/
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,ja;q=0.6,zh-CN;q=0.4,zh;q=0.2
Connection:keep-alive
Content-Length:0
Content-Type:application/x-www-form-urlencoded
Host:api.hubapi.com
Origin:https://myapp.mydomain.com
Referer:https://myapp.mydomain.com/App/Home/Home.html
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Below is my response header:
Access-Control-Allow-Credentials:false
Cache-Control:no-cache
Connection:keep-alive
Content-Encoding:gzip
Content-Length:148
Content-Type:application/json; charset=UTF-8
Date:Fri, 19 Aug 2016 08:19:01 GMT
Vary:Accept-Encoding, User-Agent
If I use a Chrome plugin to force add the CORS header, it works just fine. So it looks like CORS header from hubspot server side is the only missing piece for this API to work. Could you please advice whether I missed something or this is a bug in refresh API?
At the moment, none of the HubSpot APIs support CORS, as a security measure to prevent access_tokens and other credentials from being exposed to the user in a client-side request. Any requests to HubSpot will need to be made server-side, so you’ll need to process any AJAX requests through a proxy (and the proxy should be adding the tokens to the server-side request).