topic Re: Storing API Keys for a public app in APIs & Integrations

Storing API Keys for a public app

PaulBattisson — Wed, 30 Jul 2025 11:59:41 GMT

Hi everyone

I am working on a public app that acts as a bridge between HubSpot and a third-party API. This API requires some API keys from the user which ideally I want to store securely in HubSpot and pass through to my app if needed. I can see in private apps you can have secrets (https://developers.hubspot.com/docs/reference/api/automation/custom-code-actions#secrets). Is there a similar option for public apps?

Thanks for any ideas or help!

Paul

Re: Storing API Keys for a public app

BrandonWoodruff — Wed, 30 Jul 2025 13:13:27 GMT

Hey Paul, Public apps don't support secrets. I suggest storing user keys externally in a secure store of some type:

1. Create a Secure BE

Stand up a secure backend or cloud function that:

Stores user-specific API keys securely (e.g., encrypted in a database)
Maps each HubSpot account by portalId or userId
Can proxy or inject the keys when calling the 3rd-party API

2. During app install, store the portalId

When a user installs your app via OAuth, the access token response includes the portal ID:

{ "access_token": "...", "refresh_token": "...", "hub_id": 123456 }

You can then use that hub_id to map user-specific credentials in your system.

3. Create a secure FE UI in your app

Use a HubSpot app settings page or an embedded iframe (like a CRM card or settings tab) to allow users to enter their third-party API key securely into your system.

You’ll:

Authenticate the user via OAuth token or signed request
Store their API key server-side (encrypted)
Retrieve the key only when needed, server-to-server

Let me know if this helps, or if you have any other questions!

✔️ Was I able to help answer your question? Help the community by marking it as a solution.

Brandon Woodruff
Senior Software Developer @ Pearagon

Still have questions? Reach out at brandon@pearagon.com

Re: Storing API Keys for a public app

PaulBattisson — Wed, 30 Jul 2025 13:22:34 GMT

Thanks Brandon, I assumed it would need this - it's a shame as secure secrets for public apps exist on other platforms and I was hoping to utilise something like that to increase security in general. Thanks for the confirmation!