Changing from Hapikey to OAuth

New Contributor

Currently I expose my contacts via API + Hapikey and all's fine.

 

I would like to change to OAuth, so as first step I used the OAuth Quickstart App (https://github.com/HubSpot/oauth-quickstart-nodejs) as suggested by the documentation.

 

However, in the part where the contacts API is called after getting the access token, what I get are the contacts of the currently-logged-in HubSpot user, which means that if I'm not that user, my app won't be getting my contacts.

 

Is this the correct behavior? I have had expected that any logged-in user would get my contacts. Thanks.

Reply
0 Upvotes
6 Replies 6
Community Manager

Hey @chesslover ,

 

An OAuth access token that has the contacts  scope should be able to access all contacts in the corresponding account, regardless of the contact owner. There is not currently any user-level access restriction for OAuth access tokens. 

 

Can you give me some more details on your specific issue?

Reply
0 Upvotes
New Contributor

Hi @Derek_Gervais,

 

Thank you for your reply. Yes no issues with ownership; contacts owned/not owned within a user are retrieved by the API.

 

I have the following:

 

user 1 = developer account

user 2 = normal account

 

I want to expose contacts of user 1 via the API protected by OAuth. I created an app integration in user 1.

 

Below I'm using the Node.js OAuth 2.0 Quickstart Application to simulate the OAuth flow (https://github.com/HubSpot/oauth-quickstart-nodejs).

 

  1. From the browser I hit the authentication url of my app integration; HubSpot gives me the login page.
  2. I login as user 2.
  3. API gives me contacts for user 2. I expected to get contacts of user 1 (which had my app integration).

 

I hope this helps.

Reply
0 Upvotes
Community Manager

Hey @chesslover ,

 

I think this might be the result of a fundemantal confusion around OAuth. When you complete the OAuth flow, you're essentially installing your app to a specific account. This process generates an access & refresh token that provides access to the account that you select during the flow. The authorization process does not connect the selected account to any other account, nor does it provide access to multuple accounts (i.e. developer & normal accounts)

 

Developer accounts are intended only to host your app configuration settings, so connecting via OAuth is rarely necessary. Instead, you can use your developer API key to gain programatic access to your app's settings. If you're instead referring to a test account, then you can generate an OAuth access & refresh token for that account by selecting it during the OAuth flow.

 

This wiki-style post has a bit more info on OAuth as a whole: https://community.hubspot.com/t5/APIs-Integrations/HubSpot-OAuth-FAQ/m-p/262729#M23479

Reply
0 Upvotes
Highlighted
New Contributor

Hi @Derek_Gervais ,

 

Going back to my original use case, what is your recommendation as to how to implement it via OAuth? That is, I want other users to access, or given permission to access, the contacts of a specific to user via the Contacts API protected by OAuth.

 

Thanks.

Reply
0 Upvotes
Community Manager

Hey @chesslover ,

 

Any access token you generate by completing the OAuth flow (and including the contacts scope) will have access to all contact, irrespective of the contact owner. If you generate an access token in this way, you'll be able to use it to access any/all contacts from the account in question via the Contacts API. 

 

Outside of that, I'm not sure I'm clear on what specifically you're trying to accomplish. Is there a specific roadblock that you're hitting, or a specific goal that you can describe?

Reply
0 Upvotes
New Contributor

Hi @Derek_Gervais ,

 

At the moment, changing from hapikey to OAuth security also changes the API's behavior, and HubSpot's official documentation does not recommend using hapikey in production, so as far as we are concerned it is a blocker for us.

 

 

Reply
0 Upvotes