Securing API Access in HubSpot

This Technical Reference Guide offers detailed insights into securing API access within HubSpot. It explains the role of API keys, outlines best practices for their secure handling, and discusses the advantages of OAuth for authentication. The guide further emphasizes the importance of monitoring API usage and limiting API access to minimize potential security risks. This guide is an essential resource for professionals aiming to maintain a secure API environment within their HubSpot instance.
Loved by leading security teams around the world.

API access forms a critical component of many HubSpot integrations, enabling applications to interact seamlessly with your HubSpot instance. However, improperly secured API access can pose significant security risks. This guide explores the best practices for securing API access in HubSpot.

1. Understanding API Access

An API, or Application Programming Interface, allows different software applications to communicate and share data. In HubSpot, API access enables third-party applications to interact with your HubSpot data.

2. API Keys in HubSpot

API keys are unique identifiers used to authenticate API requests. In HubSpot, you can generate API keys within your account settings under 'Integrations'. Note that API keys grant full access to all of your HubSpot data and functionalities, so it's crucial to handle them securely.

3. Securing API Keys

Follow these best practices to secure your API keys:

  • Limited Distribution: Only share API keys with trusted individuals who need them for their work.
  • Encrypt Keys: Always encrypt API keys when stored and transmit them securely over HTTPS.
  • Regenerate Periodically: Regularly regenerate API keys to minimize the risk associated with key compromise.

4. Using OAuth Instead of API Keys

Where possible, use OAuth for authenticating integrations instead of API keys. OAuth tokens are tied to a specific user and scope, providing more granular control and reducing the potential impact of a token being compromised.

5. Monitoring API Usage

Monitor API usage to detect any anomalies that may indicate a security issue. HubSpot provides API analytics that show the number of API calls made, helping you identify unexpected spikes in usage.

6. Limiting API Access

If an integration doesn't require full access to your HubSpot data, consider creating a separate, limited-scope user account for that integration. This reduces the risk of excessive data exposure if the API key is compromised.


Securing API access is crucial to protect your HubSpot instance from unauthorized access and potential data breaches. By following these best practices and leveraging the tools HubSpot provides, you can maintain a secure, efficient, and reliable API environment.

No published blog posts yet.

Connect, Protect, Defend

Streamline your approach to security posture management throughout your entire company.
Get a Free Security Assessment
By installing or using the software, you acknowledge and agree to be bound by the Terms of Service.