oAuth without client secret for single page app (SPA) and command line toolsSOLVE
Feb 17, 2021 2:49 PM
oauth.com recommends not to use a client secret when writing a single page application or clients that the user can run locally such as a command line interface. This is documented here: https://www.oauth.com/oauth2-servers/single-page-apps/ . But I can't find an option to deactive the client secret in Hubspot.
How do you authenticate such applications via oauth? Using the API key seems not to be a solution since it doesn't allow to track who accesses the data and also not to limit the application's access scope.
Solved! Go to Solution.
Feb 20, 2021 4:32 PM
Hey - so I'm pretty sure this isn't going to be possible without an external service/server. Hubspot uses the Authorization code flow - this requires a client secret to exchange the authorisation code for an access token and you shouldn't embed this in the client.
A potential solution for this is to use Hubspot Enteprise - this supports authentication and provides you with the ability to create serverless functions.
Let me know how you get on 🙂