We're working with a HubSpot partner, Map My Customers, to possibly use their software to allow our sales team to visualize contacts and companies in the Map My Customers program. However, we'd like to make sure that ONLY the data we select (name, address info) is what Map My Customers can access. We're told by HubSpot product team that basically once we give someone our API key, they could conceivably access any and ALL data in our HubSpot CRM.
This is a BIG red flag for my senior management and will most likely stop the integration of Map My Customers with our HubSpot account.
Anyone else have insight or experience with being able to limit what they potentially have access to?
You're correct in relation to the use of the HAPIKey. API keys are great for rapid prototyping, but for security and commercial use, it is recommended that all integrations designed to be used by customers use OAuth - this is also required for becoming a featured integration.
When using OAuth 2.0, it allows a user to authorize your app to work with specific tools in their HubSpot account, designated by the authorization scopes you set. This will then give full control over what content is being accessed by the integration itself.
You can find more details about the available scopes and the tools they provide access to here.
If someone has your API key they will have access to all areas within the HubSpot portal. You can use an alternative method of authentication known as oAuth which would require the integrator to request specific "scopes" or access to parts of your CRM.
You as the portal owner can approve the apps permissions and the integrator can use the "access tokens" obtained from the authorization flow to access the data they're allowed.
Documentation of authenticating in this manner can be found here. A list of all of our scopes can be found here.
Having said this, It might not solve for all of your problems entirely. Whilst scopes would allow you to control the tools the application has access to it would not allow you to control the specific properties within the CRM. Which it sounds like you need. This level of restriction is not possible within the Hubspot system via API or in app as a regular user.