Developer Announcements

hseligson
HubSpot Employee
HubSpot Employee

Public Beta: Automatic Deactivation of Exposed Tokens

To enhance the security of our platform and protect our customers, we are introducing an automatic token deactivation public beta feature on October 8th, 2024, for any HubSpot tokens publicly exposed in GitHub repositories. This update is designed to mitigate the risks of token exposure by automatically deactivating the identified tokens and notifying the affected customers and their associated technical contacts. 

 

The new feature will include the following token types listed below, along with examples of the notifications communicating detected token deactivation:

hseligson_1-1728401360031.png

 

hseligson_2-1728401359901.png

 

hseligson_3-1728401360048.gif

 

Screenshot 2024-11-20 at 11.37.25 AM.png

*Note: Users are responsible for manually generating a new SMTP token after it's been automatically deactivated.

 

What's changing?

  • Automated Deactivation: Any HubSpot tokens exposed in public GitHub repositories will be automatically deactivated once identified. This process will be initiated by GitHub using a regex-based detection mechanism.
  • Customer Notifications: Upon detection, affected customers and their technical contacts will receive notifications via email and in-app, guiding them through the necessary remediation steps.
  • Opt-In Period: Before mandatory enforcement, customers can opt into these changes from October 8th, 2024, to April 7th, 2025. This opt-in period allows customers to test and prepare for the full rollout. After this opt-in period, this feature will be enforced, and any exposed tokens will be automatically deactivated once notified via email and in-app banners.

 

What does this mean for developers?

To avoid service disruption, developers using affected tokens (API Keys, Personal Access Keys, Private App Tokens, SMTP Tokens) must ensure they are not exposed in public repositories. Developers must generate new tokens and update their integrations if a token is revoked.

There is a particular concern regarding private apps. Developers using private app tokens should be aware that these tokens will also be subject to the same automatic revocation process. 

 

When is this happening? 

This feature is being introduced to public beta on October 8th, 2024, and will be live and enforced on April 7th, 2025.

To opt into this beta feature, please refer to the Product Updates by clicking on your HubSpot account's profile picture, navigating to In beta, and clicking on Join Beta. For more information, please refer to the documentation.

 

Questions or comments? Join us below in the developer forums for a peer-to-peer discussion.

0 Replies 0

0 Replies

No replies on this post just yet

No one has replied to this post quite yet. Check back soon to see if someone has a solution, or submit your own reply if you know how to help! Karma is real.

Reply to post

Need help replying? Check out our Community Guidelines