New and seeking info re: uploading data sensitive files for a 3rd party Hubspot user to receive
I’m very familiar with APIs and web services, but new to Hubspot. The company I work for was asked (by another company who already uses Hubspot) to use Hubspot as a means of uploading files to this other company. I created a test login and was able to successfully make the following 2 API calls to Hubspot with the temporary API key I was given in my test account:
I see there are a number of APIs to call (listed on the left-hand column of this page: https://developers.hubspot.com/docs/overview), and we weren’t given any instruction on which API the company wanted us to call (we were just simply told we are to use Hubspot). On the API page details, for the 2nd call I listed above (the POST, which uploaded a file), there is a big red box that says: "Files that contain sensitive or confidential information should not be uplaoded to file manager, as all uploaded files are stored on a public CDN where the files can be accessed by anyone with the file URL."
As we are sending sensitive data, this isn't acceptable as an option (I do see there is a hidden parameter for that call, but hidden is still not the same as inaccessible).
So my questions are:
Does Hubspot currently have a URL/endpoint we could use which would allow for sending data sensitive files that only this other company would have access to? And IF SO, how is that arranged or coordinated?
Are we required to have a purchased account (at some level) in order to simply obtain a non-expiring key to use in order to upload files to this company who does use Hubspot? Again, we are JUST the sender of files in this case…we’re not retrieving any files or data from Hubspot, or otherwise using Hubspot in any way.
Are we (again, as merely the data sender) somehow required to create and upload an api app to Hubspot in order to send a file to some domain or directory that we would then need to share or grant access to in order for this other company to retrieve their data from? This would seem quite weird...I would actually expect (IF anything or IF anyone had to create an app api) this other company using Hubspot would be the ones to create an endpoint or api app...and then tell us which one to use (along with giving us a non-expiring key to use).
Thanks for anyone's time in helping answer these questions! Apologize if this is the wrong label to pick as well...
I'm going to address each of your questions individually in a moment, but first I wanted to say: The HubSpot file manager should not be used to store/transfer sensitive files. The file manager was built with public website assets in mind; while there are some workarounds out there, there's no functionality at this time that would support using the HubSpot file manager as a secure file transfer system. I would strongly advise against building such a system here.
Let me dig into each of your questions, which might help build context around this:
The CMS FIles API is the only HubSpot API which allows for uploading files to HubSpot. Files uploaded to the HubSpot file manager can exist in two states, as denoted by the `hidden` field (see documentation):
First, `hidden` can be `false`. This is the defualt state, and by and large the most commonly and useful state for files in the file manager. Files where `hidden` is `false` are visible in-app in the file manager tool, and have public CDN links where they're accessible.
Second, `hidden` can be `true`. This is a far less common state for a file to be in, and it's generally only used for files that have been uploaded as attachements to object records (e.g. Contacts, Companies, Deals, etc.). Files where `hidden` is `true` are not vissible in-app in the file manager too, and do not have public CDN links. These files are only accessible in-app as attachments to object records.
For your use case, this means that the only way to use the HubSpot API to upload files securely to this other company would be to upload them as `hidden: true`, attach them to object records, and then have the folks at that company access them in-app. If the files are uploaded with `hidden: false`, they are technically accessible without a login.
As the developer(s), you're not required to have any HubSpot account. The only exception here is if you were to decide to use OAuth for authentication; what you'd need to have depends on what type of authentication you're using:
If you're using an API key, you do not need any HubSpot account at all. You would need to get the other company's API from their account, and use that API key to authenticate any/all requests you make to the HubSpot API.
If you're using OAuth, you'd need to create a free Developer account in order to obtain your client credentials. You'd then complete the authorization process for the other company's account, and authenticate any/all requests with the resulting access token.
You can learn more about HubSpot API keys and the HubSpot OAuth flow here
HubSpot doesn't host/run any code, so the actual implementation of this app/integration would exist entirely seperately from HubSpot. The only nuance here is that, like I mentioned above, if you decided to use OAuth you (or the other company, either way) would need a Developer account. A HubSpot Developer account doesn't actually host the code; it exists (at least in your case) only to provide you with the client credentials necessary to use OAuth.
I hope this helps clear some of this up; please don't hesitate to reach back out with any other questions!
.png "HubSpot Alumni"){kind=icon}
