APIs & Integrations

Search APIs & Integrations for solutions or ask a question
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
AbdulQayyum

‎Jul 12, 2024 2:35 AM

Participant

Best Practice to Secure API Calling with AccessToken (oAuth2.0)

SOLVE

In the context of OAuth 2.0, after installing an app, it returns an access token (short-lived) and a refresh token (long-lived). For each API call, the access token must be included in the request to authorize it.

 

What are the best practices for securing these tokens?

For example, consider an app calling HubSpot's "Get Contact" API using an access token for authentication/authorization. While this call executes successfully, there is a potential security risk if someone intercepts the API endpoint. If the app has a route such as https://domain/getContact, how can we mitigate this risk?

 

How can we ensure that the endpoint is only accessible within the app and that the access token is only valid for a single request? What are the recommended security practices for managing these tokens effectively?

Developer tools oAuth
0 Upvotes
1 Accepted solution
zach_threadint
Solution

‎Jul 17, 2024 3:34 AM

Guide

Best Practice to Secure API Calling with AccessToken (oAuth2.0)

SOLVE

Hi @AbdulQayyum 👋

 

You pose a good question. While no approach will be 100% inpenetrable, a couple of tips that you may like to consider (based on my experience working with HubSpot Public Apps):

 

  • Keep all your app authentication credentials stored securely (e.g. in secure databases, ideally protected by 2FA) and only ever use them in your backend app logic via environment variables or "secrets" (e.g. don't expose them anywhere in code repos or frontend applications). This includes your:
    • Public App Client ID
    • Public App Client Secret
    • Individual Refresh Tokens (HubSpot Portal + User specific)

From memory, your HubSpot Public App Access Tokens will expire 30 minutes after they have been generated (this may have changed since I last checked). It's not possible to make them single-use -- they will continue to work as HubSpot API authentication tokens until they expire. In order to achieve this "single-use" authentication functionality, you would need to build a custom authentication layer on top of HubSpot's OAuth framework, but I'm not sure it'd be worth it.

 

I hope that proves helpful. Please let me know if you have any follow-up questions.

All the best,

Zach

--

Zach Klein
HubSpot Integrations & App Developer
Meanjin / Brisbane, Australia



Say g'day


If my post helped answer your query, please consider marking it as a solution.


View solution in original post

0 Upvotes
2 Replies 2
zach_threadint
Solution

‎Jul 17, 2024 3:34 AM

Guide

Best Practice to Secure API Calling with AccessToken (oAuth2.0)

SOLVE

Hi @AbdulQayyum 👋

 

You pose a good question. While no approach will be 100% inpenetrable, a couple of tips that you may like to consider (based on my experience working with HubSpot Public Apps):

 

  • Keep all your app authentication credentials stored securely (e.g. in secure databases, ideally protected by 2FA) and only ever use them in your backend app logic via environment variables or "secrets" (e.g. don't expose them anywhere in code repos or frontend applications). This includes your:
    • Public App Client ID
    • Public App Client Secret
    • Individual Refresh Tokens (HubSpot Portal + User specific)

From memory, your HubSpot Public App Access Tokens will expire 30 minutes after they have been generated (this may have changed since I last checked). It's not possible to make them single-use -- they will continue to work as HubSpot API authentication tokens until they expire. In order to achieve this "single-use" authentication functionality, you would need to build a custom authentication layer on top of HubSpot's OAuth framework, but I'm not sure it'd be worth it.

 

I hope that proves helpful. Please let me know if you have any follow-up questions.

All the best,

Zach

--

Zach Klein
HubSpot Integrations & App Developer
Meanjin / Brisbane, Australia



Say g'day


If my post helped answer your query, please consider marking it as a solution.


0 Upvotes
Jaycee_Lewis
Community Manager

‎Jul 12, 2024 1:48 PM

Community Manager

Best Practice to Secure API Calling with AccessToken (oAuth2.0)

SOLVE

Hi, @AbdulQayyum 👋 Thanks for your question. Let's invite a few of our community experts to share how they handle this — hey @zach_threadint @SteveHTM @PBaxter can you give any tips to @AbdulQayyum?

 

 

Thanks! — Jaycee

linkedin

Jaycee Lewis

Developer Community Manager

Community | HubSpot

0 Upvotes
Sunny

Sign up for the Developer Newsletter

Fresh content delivered to your inbox every month.
Best Practice to Secure API Calling with AccessToken (oAuth2.0)
Hi @AbdulQayyum 👋   You pose a good question. While no approach will be 100% inpenetrable, a couple of tips that you may like to consider (based on my experience working with HubS...
Hi @AbdulQayyum 👋   You pose a good question. While no approach will be 100% inpenetrable, a couple of tips that you may like to consider (based on my experience working with HubS...
Developers
Jul 17, 2024