Struggling to figure out how to get an API key for HubSpot for your integrations? Well, let’s just say things have changed a bit! If you’ve heard about the old “HubSpot API key” and are looking for that specific string of characters, you’re actually looking for something that’s largely a thing of the past. HubSpot, always trying to keep your data safe, made a big move to sunset those traditional API keys a while back.

Today, getting an API key for HubSpot really means generating an access token through what HubSpot calls Private Apps. This isn’t just a fancy name. it’s a much more secure and controlled way to let your other tools talk to your HubSpot account. Think of it like giving a specific guest a key to only one room in your house, rather than giving them a master key to everything. This video is all about helping you understand this shift, walking you through exactly how to create a private app and generate an API key or rather, an access token, and showing you how to find your API key in this new, more secure . We’ll also chat about why this change happened, what it means for HubSpot API pricing, and even dive into a HubSpot form API example. By the end, you’ll feel confident connecting your HubSpot account with your favorite applications, the right way.

Table of Contents

What Exactly Is an API Key for HubSpot and Why Did It Change?

First off, let’s quickly break down what an API key is at its core. API stands for Application Programming Interface. In simple terms, it’s a way for different software applications to communicate with each other. An API key was traditionally a unique identifier, like a secret password, that an application would use to authenticate itself when making requests to HubSpot’s systems. If you wanted your website to push new leads into HubSpot when someone filled out a form, your website would use this API key to prove it had permission.

The Big Shift: Why HubSpot Deprecated API Keys for Private Apps

Now, for the important part: the “API key” as many once knew it in HubSpot is no longer the recommended or even available method for most new integrations. HubSpot officially began deprecating its legacy API keys starting in June 2022, and as of November 30, 2022, they are no longer supported. What this means for you is that you can’t create an API key HubSpot in the old way anymore if your account didn’t already have one by July 15, 2022.

Why the big change? It all boils down to security, plain and simple. The old API keys, while convenient, had a pretty significant drawback: they granted almost root access to your entire HubSpot portal. Imagine that master key I mentioned earlier – if it fell into the wrong hands, someone could access or modify almost all your CRM data. This was a huge security risk, especially if keys weren’t rotated regularly or were accidentally exposed in code.

HubSpot’s move to Private Apps and a more modern OAuth 2.0 authentication system was a direct response to this. It allows for much tighter security and gives you granular control over exactly what data an integration can access. So, while you’re still looking for a “key” to unlock HubSpot’s API, what you’ll get now is a more sophisticated, purpose-built access token.

App marketplace access hubspot

The Modern Way: Generating Your HubSpot Access Token via Private Apps

the old API key is out, and Private Apps are in! This is the recommended and most secure way to connect your custom tools and integrations to your HubSpot account. Let’s walk through what they are and how to set them up.

What are Private Apps?

Think of a Private App as a custom mini-application you build within your HubSpot account, specifically for your own organization’s needs. Unlike public apps found in the HubSpot App Marketplace which use a different OAuth flow, private apps are exclusive to your account and aren’t listed publicly. They’re perfect for internal tools, custom dashboards, or unique integrations that you’re building just for your team.

Benefits of Private Apps

The shift to Private Apps brings some serious advantages:

Enhanced Security: This is the big one. Instead of a single key with broad access, private apps generate a unique access token. More importantly, these tokens are tied to specific permissions, or “scopes,” that you define. So, if your app only needs to read contact data, you can grant it only that permission, limiting the potential damage if the token is ever compromised. This granular control is a must.
Granular Control: You decide precisely what parts of your HubSpot data and functionality your integration can touch. Need to update contacts but not deals? You can set that. Need to read companies but not create them? You got it.
Easier Management: You can create multiple private apps for different integrations, each with its own token and specific permissions. If an integration is no longer needed or a token is compromised, you can revoke or rotate just that specific app’s token without affecting other integrations. This makes managing your integrations much cleaner and safer. You can even rotate the token for an app for added security, with a new one replacing the old one. It’s recommended to rotate your tokens every six months, even if there’s no immediate threat.

Step-by-Step: How to Create a Private App and Get Your Access Token

Now for the practical part – let’s generate your API key HubSpot style, meaning, let’s create a Private App and get that access token! You’ll need to be a Super Admin in your HubSpot account to do this.

Log in to Your HubSpot Account: Head over to app.hubspot.com and sign in.
Navigate to Private Apps:
- Click the settings icon ⚙️ in the main navigation bar usually top right.
- In the left sidebar menu, scroll down and find “Integrations,” then click on “Private Apps.”
Click “Create a Private App”: You’ll see a big orange button. Go ahead and click it.
Basic Info Tab:
- App Name: Give your app a clear, descriptive name. Something like “My Website Form Integration” or “Data Sync with .” This helps you remember what it’s for.
- Optional Description: Add a short description explaining its purpose.
- Optional App Logo: You can even upload a logo if you want to make it look official.
Configure Scopes This is CRITICAL!:
- Click on the “Scopes” tab. This is where you tell HubSpot exactly what data and actions your app needs permission to access.
- At the top of the page, click “Add new scope.”
- Browse through the categories e.g., CRM, Marketing, Sales and select only the minimum necessary permissions for your integration to function. For example, if you’re only submitting form data, you’ll primarily need access to “forms.” If you’re updating contacts, look for crm.objects.contacts and grant both “read” and “write” permissions.
- Don’t just grant everything! Giving too many permissions defeats the security benefits of Private Apps. It’s like giving that guest the master key again.
Review and Create Your App:
- Once you’re happy with your scopes, click “Create app” usually at the top right.
- HubSpot will give you a warning about sharing your access token – pay attention to it!
- Click “Continue creating.”
Get Your Access Token:
- After creation, you’ll be taken to your app’s details page, usually on the “Auth” tab.
- Here, you’ll see your brand-new Access Token. It’s a long string of characters.
- IMPORTANT: Click “Show token” and then “Copy” immediately. HubSpot only shows this token once, right after you create it. If you navigate away and come back, it will be hidden, and you might need to rotate it to get a new one.
- Store this token securely! Treat it like a highly sensitive password. Don’t embed it directly in client-side code that could be publicly viewed. Use environment variables or secure storage mechanisms.

And just like that, you’ve essentially generated your HubSpot API key for the modern era! This access token is what you’ll use to authenticate your API calls. For example, when making API requests, you’ll typically include it in an Authorization HTTP header like Authorization: Bearer YOUR_ACCESS_TOKEN. HubSpot AI Guide: Unlocking Smart Growth for Your Business

Finding Your Existing HubSpot API Key if you had a legacy one

“but what if I did have an old API key, and I need to find it?”

Well, the truth is, if you didn’t have one before July 15, 2022, you won’t be able to find your API key HubSpot in the legacy sense, because new ones couldn’t be created after that date. Existing legacy API keys stopped working on November 30, 2022.

However, if by some rare chance you’re working with a very old, unsupported integration, or just curious where they used to be, the path was typically:

Settings gear icon in your HubSpot account.
Then Integrations in the left sidebar.
And finally, an option for “API key” which is now replaced or removed in favor of “Private Apps”.

But honestly, if you’re still relying on a legacy API key for any integration, the most important thing you need to do is migrate it to a Private App as soon as possible. Continuing to use outdated authentication methods is a significant security risk, and your integration would likely have stopped working anyway after November 30, 2022. HubSpot AI Email Writer: Your Secret Weapon for Smarter Emails

HubSpot API Pricing and Rate Limits

“Is HubSpot API pricing going to break the bank?”

Good news! Access to HubSpot’s APIs is generally included with your existing HubSpot subscription tiers Free, Starter, Professional, Enterprise. You don’t usually pay a separate fee just to use the API endpoints.

However, what you do need to be aware of are API rate limits. These are the restrictions on how many requests your integration can make to HubSpot’s API within a certain timeframe. HubSpot uses a “sliding window” approach, meaning requests are evaluated on a rolling basis, not just within fixed seconds.

Here’s a general idea of the rate limits, though these can change, so always check HubSpot’s official documentation for the latest numbers: Mastering HubSpot Academy’s Digital Marketing Certification: Your Complete Guide to Success

Free & Starter Tiers: Typically allow around 100 requests every 10 seconds, with a daily limit of 250,000 requests per day.
Professional & Enterprise Tiers: These tiers get a boost, often allowing 150-190 requests every 10 seconds, and a daily limit between 500,000 to 650,000 requests per day.
API Add-on: For those needing serious API firepower, HubSpot offers an API add-on. This can significantly increase your limits, bumping you up to 200-250 requests every 10 seconds and a whopping 1,000,000 to 2,000,000 requests per day. You can sometimes purchase this capacity pack twice for even more headroom.

Why do these limits matter? If your integration hits these limits too often, HubSpot will start returning errors, and your data might not sync correctly.

Tips to avoid hitting rate limits:

Batch Requests: If you need to update many records, use batch endpoints when available. HubSpot’s CRM object endpoints are typically limited to 100 records per request.
Optimize Your Calls: Only request the data you actually need.
Implement Throttling/Retry Logic: Build your integration to pause and retry gracefully if it receives a rate limit error.
Monitor Usage: You can check your API usage within your HubSpot account, often under the “Logs” or “Security” tab of your Private App, or via specific API endpoints.
Split Dashboards: If you’re using many widgets on a dashboard that pull HubSpot data, consider splitting them across multiple dashboards to stagger refresh times and reduce concurrent requests.

While using HubSpot’s APIs themselves is generally included, remember that if you’re hiring developers or using third-party services to build custom integrations, those services will have their own costs. The pricing for custom HubSpot API integrations can vary widely based on complexity, from a few hundred to thousands of dollars, either as a fixed price or a monthly subscription.

Real-World Example: HubSpot Form API

Let’s look at a common scenario: submitting data to a HubSpot form using the API. This is perfect for when you have a custom form on your website and want the submissions to land directly in HubSpot, just like a native HubSpot form would. HubSpot Contact API: Your Ultimate Playbook for CRM Automation

With Private Apps, you’ll use the authenticated form submission endpoint. It typically looks something like https://api.hsforms.com/submissions/v3/integration/secure/submit/{portalId}/{formGuid}.

Here’s a simplified breakdown of what you’d typically do in your custom code e.g., JavaScript on your server or a secure backend:

Identify Your Portal ID and Form GUID:
- Your Portal ID is your unique HubSpot account ID. You can find it in your HubSpot URL e.g., app.hubspot.com/1234567/ or in your settings.
- The Form GUID is the unique ID for your specific HubSpot form. You can find this in the URL when you’re editing a form in HubSpot, or through the Forms API documentation.
Gather Form Data: Collect the values from your custom HTML form fields e.g., first name, last name, email. Make sure the name attributes of your HTML form fields match the internal property names in HubSpot e.g., firstname, lastname, email.
Include the hubspotutk Cookie: This is super important for proper tracking! The HubSpot tracking code which should be on your website generates a cookie called hubspotutk. When you submit data via the Forms API, you should include this hubspotutk value in your request. HubSpot uses it to connect the visitor’s browsing history to the contact record created or updated by the form submission. Failing to send this is a common mistake!
Construct Your API Request:
- You’ll send a POST request to the authenticated forms endpoint.
- The Authorization header will contain your Private App’s access token: Authorization: Bearer YOUR_ACCESS_TOKEN.
- The Content-Type header will be application/json.
- The request body will be a JSON object containing your form fields and their values, along with a context object that includes the hubspotutk cookie, pageUri, and pageName. You can also include submittedAt to backdate a submission though not by more than a month.

Here’s a conceptual not runnable example of what that might look like in JavaScript for a secure server-side call:

const portalId = 'YOUR_PORTAL_ID'.
const formGuid = 'YOUR_FORM_GUID'.
const accessToken = 'YOUR_PRIVATE_APP_ACCESS_TOKEN'. // Keep this secure!

async function submitHubSpotFormformData {
  const hubspotutk = getCookie'hubspotutk'. // Function to get the cookie value
  const pageUri = window.location.href.
  const pageName = document.title.

  const data = {
    "fields": Object.keysformData.mapkey => {
      "name": key,
      "value": formData
    },
    "context": {
      "hutk": hubspotutk,
      "pageUri": pageUri,
      "pageName": pageName
    },
    // "submittedAt": Date.now // Optional: uncomment to set submission time
  }.

  try {
    const response = await fetch`https://api.hsforms.com/submissions/v3/integration/secure/submit/${portalId}/${formGuid}`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${accessToken}`
      },
      body: JSON.stringifydata
    }.

    if !response.ok {
      throw new Error`HubSpot API submission failed: ${response.statusText}`. 
    }

    const result = await response.json.
    console.log'Form submitted successfully:', result.
    return result.
  } catch error {
    console.error'Error submitting form to HubSpot:', error. 
    throw error.
  }
}

// Example usage assuming you have a way to get formData from your HTML form
// const myFormData = {
//   firstname: 'John',
//   lastname: 'Doe',
//   email: '[email protected]'
// }.
// submitHubSpotFormmyFormData.

This ensures your form submissions are handled securely and accurately, associating them with the correct visitor tracking in HubSpot.

Does HubSpot Have a Mobile App? Oh, You Bet It Does!

Best Practices for API Security and Usage

Working with any API, especially one that handles sensitive customer data like HubSpot’s, requires careful attention to security and best practices. Here are some key things to keep in mind:

Securely Store Your Access Tokens: Never hardcode your Private App access token directly into publicly accessible client-side code like frontend JavaScript. Use environment variables on your server, a secure secrets manager, or a server-side proxy to make API calls. This is arguably the most important security rule.
Principle of Least Privilege: When setting up your Private App, grant only the scopes permissions that your integration absolutely needs to function. If it just reads contacts, don’t give it write access to deals or marketing emails. This minimizes the risk if your token is ever compromised.
Rotate Your Tokens Regularly: Even with all the security measures, it’s a good habit to rotate your Private App access tokens every few months, perhaps every six months. HubSpot makes this easy within the Private App settings. If you suspect a token might be compromised, rotate it immediately.
Implement Robust Error Handling: APIs can fail for various reasons rate limits, invalid data, network issues. Your integration should be built to gracefully handle API errors, log them, and potentially retry requests when appropriate.
Monitor API Usage: Keep an eye on your API call volume. HubSpot provides ways to review daily API usage for your private apps. This can help you anticipate hitting rate limits and debug issues.
Use Client Libraries: If you’re using a common programming language like Python, Node.js, PHP, Java, Ruby, .NET, HubSpot often provides official or community-supported client libraries. These libraries simplify API interactions, handling authentication, request formatting, and error parsing, making development faster and less prone to errors.
Stay Updated: HubSpot frequently updates its APIs and authentication methods. Keep an eye on their developer documentation and announcements to ensure your integrations remain compatible and secure.

By following these best practices, you can ensure your HubSpot API integrations are both powerful and protected.

Frequently Asked Questions

What is the difference between a legacy API key and a private app access token?

The main difference is security and control. A legacy API key was a single, static key that granted broad, often root-level access to your entire HubSpot portal. If compromised, it was a major risk. A private app access token, on the other hand, is generated by a Private App you create in HubSpot, and it only grants access to specific data and actions scopes that you explicitly define. This provides granular control and significantly enhances security.

Mastering Your HubSpot Login: Your Gateway to Business Growth

Is the HubSpot API key still supported?

No, the traditional HubSpot API key as an authentication method was officially deprecated. HubSpot stopped supporting API keys for most new integrations on November 30, 2022. The recommended and current method is to use Private Apps to generate access tokens.

Can I use the HubSpot API for free?

Yes, access to HubSpot’s APIs is generally included across all HubSpot tiers, including the Free and Starter plans. However, the number of API requests you can make your “rate limit” varies significantly based on your HubSpot subscription level. For higher volumes of API calls, Professional and Enterprise tiers, or an API add-on, might be necessary.

What are API rate limits in HubSpot?

API rate limits are restrictions on how many requests your integration can make to HubSpot’s API within a specific timeframe e.g., requests per 10 seconds or per day. These limits vary by your HubSpot subscription tier. Exceeding them can result in temporary blocks or errors for your integration. For example, Free & Starter tiers generally have lower limits e.g., 100 requests/10 seconds, 250,000/day compared to Professional and Enterprise tiers e.g., 150-190 requests/10 seconds, 500,000-650,000/day.

How do I handle authentication with HubSpot APIs?

The modern and recommended way to handle authentication for custom, single-account integrations is by using Private Apps. You create a Private App in your HubSpot account, define its specific permissions scopes, and then get an access token. This token is then included in the Authorization header of your API requests, typically in the format Authorization: Bearer YOUR_ACCESS_TOKEN. For public apps or integrations meant for multiple HubSpot accounts, OAuth 2.0 is the required authentication method.

Where can I find HubSpot API documentation?

You can find the most comprehensive and up-to-date information on HubSpot’s developer website. Just search for “HubSpot Developer Documentation” or “HubSpot API Documentation” to access guides on various APIs CRM, Marketing, Sales, authentication methods, best practices, and more. Dealing with HubSpot API Limits? Here’s What You NEED to Know! (And How to Beat Them!)

0.0

0.0 out of 5 stars (based on 0 reviews)

Excellent0%

Very good0%

Average0%

Poor0%

Terrible0%

There are no reviews yet. Be the first one to write one.

Amazon.com: Check Amazon for Getting Your HubSpot
Latest Discussions & Reviews:

BestFREE.nl

Getting Your HubSpot API Key: The Modern Way to Connect Your Tools