APIs & Integrations

rfulton
Member

Security issue: Revoking access - access token not revoked

I've been testing out a connection to a 3rd party app. When I revoke access to the app in my Hubspot account settings, I can still make successful API calls for around 20 mins. Looks like the access token is not revoked and I only start to get failures when it needs to be refreshed.

 

Access via API should be revoked immediately when the app is disconnected.

0 Upvotes
1 Reply 1
KhushbooRevOps
Participant

Security issue: Revoking access - access token not revoked

Hi @rfulton,

When you revoke access to a third-party app in HubSpot, the existing access token remains valid until it expires (typically 15-20 minutes). This delay happens because the token isn't immediately invalidated; it only fails once it tries to refresh.

For immediate revocation, ensure your system checks token status before sensitive actions, or manually expire the token if possible. This is a common behavior with OAuth tokens, but important for security awareness.

I hope it helps, let me know if you need to talk!

Khushboo Pokhriyal

Growth & Operations

GroRapid Labs

LinkedIn | 9315044754 | Email | Website

0 Upvotes