APIs & Integrations

hridayesh
Participant

API Key rotate

Hi There,


I have been recieving emails from HubSpot regarding API key rotation (I am going to user API Key to integrate HubSpot eCommerce Bridge in my application). So, could you please provide clarification on below points:
1. If I need to rorate API key on a perticular interval. (If so, I need to manuallt change that key in my application configuration.)
2. If there is any other API to rotate HubSpot API Key. (I can make a call to that API from my code to rotate API Key and get that API key to override in my app configuration)

3. or, if I could use oAuth 2.0 with eCommerce Bridge APIs implementation.
 

Could you please provide your inputs on this.

 

Thanks!


CC: @Derek_Gervais  @Willson 

4 Replies 4
ahamaton
Participant

API Key rotate

If you rotate the key, do you need to update it in the Wordpress plugin because I cant see anywhere in the plugin to update it ?

Kind regards

Andrew

Derek_Gervais
HubSpot Alumni
HubSpot Alumni

API Key rotate

Hey @hridayesh ,

 

Let me try to address each of your questions individually:

  1. You're not technically required to rotate your API key, but we strongly recommend rotating your API key at least every 6 months. You're correct that this rotation would require you to manually update your API key in any external system that uses it.
  2. API key access is only possible in-app; there is no current API that supports rotating/generating an API key.
  3. The Ecommerce Bridge API does in fact support OAuth 2.0, though the setup for that is slightly different. You'll need to create an app, configure your Ecommerce Bridge settings in your developer account, and install that app to your production account.
hridayesh
Participant

API Key rotate

Thank you @Derek_Gervais for you quick response.

I am good with point 1 and 2.
For point 3, I already have installed App in my developer account (as I am using contacts APIs using oAuth authentication), but when I use oAuth Authentication to call eComm APIs as below code:

 

var client = new RestSharp.RestClient("https://api.hubapi.com");
var request = new RestSharp.RestRequest(RestSharp.Method.POST);
request.Resource = "extensions/ecomm/v1/installs";
request.AddHeader("Authorization", "Bearer " + _authenticationInfo.AccessToken);
RestSharp.IRestResponse response = client.Execute(request);

It gives me below error in response with StatusCode Forbidden

{"message":"This OAuth token (CIim9ZuO*********R8RD9jf8) has not authorized the required scopes to complete this action, requires all of the following: [portal-developers-access].
Visit https://developers.hubspot.com/scopes for more information.","correlationId":"88d7e2******cbdc7","requestId":"316c5b********3bf1a"}

And when I try to use v2 API : "extensions/ecomm/v2/installs"
It returns nothing with status code NotFound.

 

I have defined below scopes for my App
HubSpot App Scopes.png

Also, Should I use v1 APIs for all the calls (InstallBridge, UpsertSettings, CreateStore, SyncData) or v2.

@Derek_Gervais , could you please help me with this.

Thanks!


CC: @Willson  

0 Upvotes
Derek_Gervais
HubSpot Alumni
HubSpot Alumni

API Key rotate

Hey @hridayesh ,

 

There's an important differece between Ecommerce Bridge using OAuth and Ecommerce Bridge using a hapikey: When using a hapikey, the account that manages the ecommerce settings and the account that accepts sync messages are the same account, which means you can use the same hapikey. 

 

On the other hand, when you're using OAuth, the account that manages the ecommerce settings is entirely different than the account that accepts sync messages: The former is your Developer Account, and the latter is your production account. This means that you're unable to use the same authentication method for everything; an OAuth access token generated when you installed your app to your production portal will not work when trying to configure your ecommerce settings, since those settings live in your Developer Account.

 

The solution here is simple, if a bit confusing at first: When sending sync messages or getting specific sync errors for an account (this endpoint, specifically) you'll need to use your OAuth access token. When updating your ecommerce settings, you'll need to use your developer hapikey

 

These docs have some more information on the subject:

0 Upvotes