Access token for Hard coding in to the code.

Haider000 · ‎Nov 11, 2025

I want to ask if it's possible to generate a refresh token from an access token obtained from a HubSpot private app, so that I can hardcode it, and the client doesn't have to manually enter the access token each time.

d-lupo · ‎Nov 12, 2025

Hi @Haider000,

Could you clarify what you mean when you say, "the client has to manually enter the access token each time"? Normally, with a HubSpot private app, that shouldn't be necessary. The access token is permanent until you manually regenerate or revoke it in HubSpot. So there's no need to refresh or re-enter it each time.

It sounds like you might be mixing up two different types of tokens:

Private app tokens:

Single, long-lived tokens (no refresh token involved).
Ideal for server-to-server integrations.
You just store the token securely on your server, and it stays valid until you revoke or rotate it.

OAuth tokens (e.g. for public apps):

Short-lived access tokens that expire.
You need a refresh token to obtain new access tokens automatically.

So, if you're using a private app, there's no way (or need) to generate a refresh token from it. The access oken is the credential.

A word of caution:
Please don't hardcode your private app token directly into your code especially not in any file that could be exposed publicly (like JavaScript in the browser or files checked into GitHub). Anyone who sees that token does potentially have access to your HubSpot data. Instead, store it securely as an environment variable or in a server configuration file. For example:

# .env file
HUBSPOT_PRIVATE_APP_TOKEN=your_long_token_here

And then access it safely in your backend code, e.g.:

const HUBSPOT_TOKEN = process.env.HUBSPOT_PRIVATE_APP_TOKEN;

That way:

You don't expose credentials in code or client-side pages.
The client never has to re-enter anything.
You can easily rotate the token later if needed, without changing your code.

So in short: No refresh token is needed, and the client shouldn't be entering the access token manually at all. Just store it securely on your backend once, and it will keep working until it's intentionally replaced.

Did my post resolve your question? If so, please consider marking it as the accepted solution to help others in the community.

Kind regards
Dennis

View solution in original post

d-lupo · ‎Nov 12, 2025

Hi @Haider000,

Could you clarify what you mean when you say, "the client has to manually enter the access token each time"? Normally, with a HubSpot private app, that shouldn't be necessary. The access token is permanent until you manually regenerate or revoke it in HubSpot. So there's no need to refresh or re-enter it each time.

It sounds like you might be mixing up two different types of tokens:

Private app tokens:

Single, long-lived tokens (no refresh token involved).
Ideal for server-to-server integrations.
You just store the token securely on your server, and it stays valid until you revoke or rotate it.

OAuth tokens (e.g. for public apps):

Short-lived access tokens that expire.
You need a refresh token to obtain new access tokens automatically.

So, if you're using a private app, there's no way (or need) to generate a refresh token from it. The access oken is the credential.

A word of caution:
Please don't hardcode your private app token directly into your code especially not in any file that could be exposed publicly (like JavaScript in the browser or files checked into GitHub). Anyone who sees that token does potentially have access to your HubSpot data. Instead, store it securely as an environment variable or in a server configuration file. For example:

# .env file
HUBSPOT_PRIVATE_APP_TOKEN=your_long_token_here

And then access it safely in your backend code, e.g.:

const HUBSPOT_TOKEN = process.env.HUBSPOT_PRIVATE_APP_TOKEN;

That way:

You don't expose credentials in code or client-side pages.
The client never has to re-enter anything.
You can easily rotate the token later if needed, without changing your code.

So in short: No refresh token is needed, and the client shouldn't be entering the access token manually at all. Just store it securely on your backend once, and it will keep working until it's intentionally replaced.

Did my post resolve your question? If so, please consider marking it as the accepted solution to help others in the community.

Kind regards
Dennis

BérangèreL · ‎Nov 11, 2025

Hi @Haider000 and welcome, we are delighted to have you here!

Thanks for reaching out to the HubSpot Community!

For reference, here is the documentation about "Private apps".

I'd love to put you in touch with our Top Experts: Hi @evaldas, @SteveHTM and @zach_threadint do you have any insights to share with @Haider000, please?

Have a lovely day and thanks so much!
Bérangère

Loop Marketing is a new four-stage approach that combines AI efficiency and human authenticity to drive growth.

Learn More

Access token for Hard coding in to the code.

Sign up for the Developer Newsletter