Submit Form API has NO Authentication

ShekarC · ‎Sep 21, 2021

I'm looking to integrate my Web Form to HubSpot using the API recommended in https://legacydocs.hubspot.com/docs/methods/forms/submit_form
It works well
But the biggest drawback of this API is that there is NO AUTHENTICATION
Anyone who knows or intercepts the API call from the Website will find out the Portal ID & Form Guid and can flood my hubspot instance with lot of Form Submissions.

Any reason this API is designed this way ?

How to secure it ?

ShekarC · ‎Sep 21, 2021

Anyone from HubSpot Product or API team looking into this ?

Can you please share your thoughts on this.

dennisedson · ‎Sep 22, 2021

@ShekarC , create an idea and post to the ideas board. We have a team that monitors that for product update ideas 👍

Link your idea back here so we can upvote

ShekarC · ‎Sep 22, 2021

Hi @dennisedson I have done as suggested

https://community.hubspot.com/t5/HubSpot-Ideas/Submit-Form-API-has-NO-Authentication/idi-p/498952#M9...

Usually what is a typical timeline / SLA for an idea to be picked (or) do I need to pray for max number of upvotes ?

I thought my request is quite basic, unless the API product has a strong rationale that they can justify as to why there is no authentication set for this API....

dennisedson · ‎Sep 22, 2021

There is no timeline on an idea being picked up. The more upvotes, the more likely it will be picked up

Teun · ‎Sep 21, 2021

Hi @ShekarC ,

If this is something you really want, yes. You could look into the ReCaptcha option, but this is something that is not unique. Spam send through forms happen on all type of websites. ReCaptcha is the most common solution. But if I have a WordPress website with an exposed action, that could also be used to send spam through my website.

Learn more about HubSpot by following me on LinkedIn or YouTube

✅ Did my answer solve your issue? Help the community by marking it as the solution.

ShekarC · ‎Sep 21, 2021

Hi @Teun

ReCaptcha is to prevent spam through the Form

However if a malicious user intercepts the API call made from the Website, then they can use tools like Postman to flood the Form and create junk data in my HubSpot instance

Teun · ‎Sep 21, 2021

Hi @ShekarC ,

Completely true. Would be nice to have an option to secure this. But currently, it is not available.

Learn more about HubSpot by following me on LinkedIn or YouTube

✅ Did my answer solve your issue? Help the community by marking it as the solution.

ShekarC · ‎Sep 21, 2021

Hi @Teun

So your suggestion is similar to this post where I have to build my own security layer.

Teun · ‎Sep 21, 2021

Hi @ShekarC ,

You could check this post, which has the same question.
I do remember to see an update the past month regarding recaptcha and the submission API, not sure if it is relevant tho.
Will post it here if I find it.

Learn more about HubSpot by following me on LinkedIn or YouTube

✅ Did my answer solve your issue? Help the community by marking it as the solution.

Teun · ‎Sep 21, 2021

Ah, here it is, so guess it is not relevant to your current question.

Learn more about HubSpot by following me on LinkedIn or YouTube

✅ Did my answer solve your issue? Help the community by marking it as the solution.

APIs & Integrations