APIs & Integrations


oAuth Security Question

I'm just getting started with a POC of a public app. I've got the basic oAuth flow wired up but I feel like I'm not fully understanding something.

What I'm thinking for basic architecture:
- my app will live in the CRM in an iframe, triggered from a CRM card
- my app receives the Hubspot userId via query string from the iframe's src
- my app loads, goes through the oAuth flow. Users do not authenticate on my app beyond Hubspot's oAuth flow (is this typical?)
- I store the refresh and access tokens in my db with the Hubspot userId as the primary key

Now my question (and why I think I'm missing something), doesn't this leave a pretty large vulnerability where users could change the userId in the query string. What prevents my app from sharing other users' tokens?

I can add some sort of rate limiting, etc. to mitigate but I'm wondering if I'm missing something more broadly. How do most apps handle this?


1 Reply 1
Top Contributor

oAuth Security Question

Will take some time to get some close solutions, meantime you can also refer to this artifacts which will help you the most:



Humashankar VJ
HubSpot Community Champion and enthusiast | Engineering Manager