Developer Announcements

Dadams
HubSpot Employee
HubSpot Employee

Upcoming: API Key Sunset

What’s changing?

 

API Keys have been one of three authentication methods supported by HubSpot APIs. However, as part of ongoing efforts to protect our customer's data, we will be sunsetting API Keys.

 

As a result of this change, integrations will instead be required to work with Private Apps. Private Apps offer tighter security and allow more granular control over your integrations and account data than legacy API keys.

 

What this means for developers:

 

With the introduction of Private Apps, users who previously developed on HubSpot and utilized API Keys will now be required to migrate existing integrations from using API Key authentication to using Private Apps instead.

 

Private Apps allow you to set up a separate static access token for each integration. Private App access tokens are also scoped like OAuth access tokens, so you can control the access that each integration has to your HubSpot account.

 

Private Apps work much the same as API key integrations would, with the main change being that they use a static access token in the Authorization HTTP header, instead of using the API key in a query parameter to authorize the API request. No other changes should be required aside from updating the authentication method.

 

If your integration is intended to be used by multiple HubSpot accounts, you should update your integration to be a Public App using OAuth 2.0. Private Apps should not be used for multi-account apps. OAuth 2.0 provides the same security features as Private Apps, but provides a much better experience for users, allowing them to quickly connect their HubSpot account to your app without additional code.

 

When is this change happening?

 

Starting November 30, 2022, all customers will no longer have access to API Keys and in-turn will no longer be able to use API Keys as an authentication method with HubSpot APIs.

 

Starting July 15, 2022, we will no longer allow new API keys to be created. Existing API keys will work until November 30th, but accounts without an API key will not have access to create a new API key. API calls made with API keys on or after Nov 30, 2022 will return 401 errors.

 

In order to begin using Private Apps immediately, please see the documentation for Private Apps.

 

Developer Account API Keys, for configuring public apps, will still be available for use in Developer Accounts.

 

Please let us know if you have any questions by replying below.

46 Replies 46
dennisedson
HubSpot Product Team
HubSpot Product Team

Upcoming: API Key Sunset

Adding a link to a YouTube video we added showing how to use private app authentication with a custom coded action and also with Postman.  Hope this helps!

Thanks,

Dennis




HubSpot Community Developer ShowMake sure to subscribe to our YouTube channel
where you can find the HubSpot Community Developer Show
JFreeman1
Member

Upcoming: API Key Sunset

I'm not a developer, so I don't know how this sunset will affect my HubSpot account connections.  I do not have any specialized apps that were built for my company.  I connect to Zapier and apps from the Marketplace like DocuSign and Stripe.  Will these connections be affected?  

0 Upvotes
gillytech
Contributor

Upcoming: API Key Sunset

Nope. This will only affect apps that use the HAPI Key.

JFreeman1
Member

Upcoming: API Key Sunset

I'm not a developer, so I don't know if/how this will affect my company.  I connect HubSpot to Zapier and apps that are in HubSpot Marketplace like DocuSign and Stripe.  I don't have any custom integrations built on the HubSpot developer side.  Just what's already out there in the Marketplace.  Does the sunset mean I will not be able to connect to these other apps?  If so, since HubSpot is mandating this change, I'm assuming HubSpot will also provide the technical assistance I need to make the necessary changes.

 

I tried to call the 1-888-482-7768 to speak to a human, but none were available.  Any insight would be quite helpful to this non-developer customer.

0 Upvotes
dennisedson
HubSpot Product Team
HubSpot Product Team

Upcoming: API Key Sunset

Hello HubSpot Developers! We really appreciate your feedback on this. We’ll be partnering with you to make the migration to private apps as smooth as we can in order to help HubSpot remain the most trusted and secure CRM. 

 

While we cannot change the timeline required to move your API keys to private apps, we’ll be creating additional resources dedicated to helping ease the transition. First, we’ll be fleshing out our migration guide, and providing more resources to help walk you through the steps involved. We will update this thread as these resources become available. 

 

Again, thank you for your candid feedback on this announcement and rollout - we’re looking forward to working alongside you to help secure your customer data for the long term.

Thanks,

Dennis




HubSpot Community Developer ShowMake sure to subscribe to our YouTube channel
where you can find the HubSpot Community Developer Show
danmoyle
Recognized Expert | Elite Partner
Recognized Expert | Elite Partner

Upcoming: API Key Sunset

@dennisedson to the rescue! 

 

For real though, this is good to read. I do hope it goes smoothly for thos who need it. 

 


Did this post help solve your problem? If so, please mark it as a solution.


Dan Moyle

HubSpot Advisor

Learning Ops | Impulse Creative

[he/him/his]

239-244-8812 | 269-330-4696
dan@impulsecreative.com
https://impulsecreative.com/
gillytech
Contributor

Upcoming: API Key Sunset

What about Ecommerce Bridge support in Private Apps?

0 Upvotes
rbutler-jpi
Participant

Upcoming: API Key Sunset

What about the Public Email API Alpha that my company is using?

Last time I checked in with the Development team handling this on your side, the Public Email API Alpha has basically not had any updates to it in some time in preperation for a newer version that's got no release date or information available and it does not support using the "private apps" side of HubSpot. We use this Public Email API alpha A LOT. Can you please clarify ASAP if this has been considered otherwise there are going to be huge implications for us....

0 Upvotes
louischausse
Key Advisor | Platinum Partner
Key Advisor | Platinum Partner

Upcoming: API Key Sunset

@dennisedson @Dadams  As far as I know, the e-commerce bridge API is not compatible with private apps yet. Only API key or OAuth according to documentation.

Would following the doc for ecom bridge OAuth work with private app tokens?

In short, would a private app access token in the header work (i.e. Authorization: Bearer {token})?

Louis Chaussé

CEO

Auxilio

lchausse@auxilio.io
auxilio.io
Schedule a call
0 Upvotes
gillytech
Contributor

Upcoming: API Key Sunset

I don't have the time to try it out right now but if you or anyone else has any luck with this I woud really appreciate an update! Meanwhile I am going to try to get a note in with the product team to see where Private Apps support for Ecomm Bridge is at on the roadmap.

louischausse
Key Advisor | Platinum Partner
Key Advisor | Platinum Partner

Upcoming: API Key Sunset

Keep us posted here please! @gillytech 

Louis Chaussé

CEO

Auxilio

lchausse@auxilio.io
auxilio.io
Schedule a call
0 Upvotes
TimOstheimer
Member

Upcoming: API Key Sunset

This isn't nearly enough time.

0 Upvotes
nickdeckerdevs1
Participant | Partner
Participant | Partner

Upcoming: API Key Sunset

Hi! I applaud moving towards this, however it looks like the timeline was made up by some corporate person that is out of touch with their partners and developers. Were people consulted? The slack champions group? HubSpot Partners that are dev and integration focused? Developer advocates? This is the timeline yall figured out was best?

 

Whatever the case really is -- is too short of a timeline. HubSpot developers have received this email as their one email to know that they need to update this. I have clients I've built work for that I'm no longer in their portal. I have plenty that I'm in their portal. No client is going to know they need this migrated, this is all on the developer/partner/agency/freelancer to reach out to the client and let them know that they need to pay more money to still keep their integration working.

 

1) Can we lengthen the deadline?

2) Is HubSpot willing to put money behind this to ease the cost to their clients?

3) Is it possible to grandfather current integrations in? I realize this might be much harder, so maybe option 1 and 2 are easier to implement.   

 

I mean, option 1 seems like the easiest thing to do here. I have to search through years of emails and reach out to clients I haven't spoken to in years. It just seems like a very large task right now with a very small timeline.

 

I have a whole lot of other feedback but I'm going to keep that to myself as none of it is constructive. We have a special slack group that could be reached out to, as well as developer advocates in the community that are hubspot employees that I believe would have asked for more time than 6 months. I hope this is addressed and the timeline for implementation is lengthened. 

 

Also, is there some plan to support this? When a HS customer reaches out via chat and they don't know why their integration isn't working, are there some preferred developers you are suggesting look into it? On December 1st, what's the plan to deal with this fallout?

 

Sorry if this response is all over the place, I've tried to take a few hours to respond, but I keep coming back to the only thing that makes sense - that no one cares about the repercussions on this -- sorry, too bad developers, just figure it out. I don't want to think that is the way HubSpot is positioning this.



TimMunro
Contributor

Upcoming: API Key Sunset

Please clarify how to create custom objects without the API key. Object schema  endpoints detailed here https://developers.hubspot.com/docs/api/crm/crm-custom-objects (e.g. POST/crm/v3/schemas) stipulate that only the API key may be used. Thanks, Tim


Jaycee_Lewis
Community Manager
Community Manager

Upcoming: API Key Sunset

Hey, @TimMunro, please have a look at this guide — How to Build a Custom Object Using Private Apps

 

Best,

Jaycee

linkedin

Jaycee Lewis

Developer Community Manager

Community | HubSpot

0 Upvotes
gillytech
Contributor

Upcoming: API Key Sunset

I am concerned that my Ecommerce Bridge implementation will stop working. Private Apps does not (AFAIK) support Ecommerce Bridge functions and it's the only thing I use API Keys for. Everything else is on Private Apps. What is the plan to provide Ecomm Bridge functionality in Private apps?

louischausse
Key Advisor | Platinum Partner
Key Advisor | Platinum Partner

Upcoming: API Key Sunset

I have the same concern. @dennisedson can you get us an answer on this one please?

Louis Chaussé

CEO

Auxilio

lchausse@auxilio.io
auxilio.io
Schedule a call
0 Upvotes
arlogilbert
Contributor

Upcoming: API Key Sunset

The July date seems reasonable, but the November date is nowhere near enough notice.

 

HubSpot wants companies to build on top of your APIs which means that entire companies (mine included) have built on top of CMS/CRM/File APIs for myriad use cases across hundreds of services.

 

Given that replacing the API key is not as simple as just swapping out keys for the private app equivalent, but actually does require code level changes, this is nowhere near enough time to fully deprecate the keys. A year notice at a minimum would be acceptable.

Skipio
Contributor

Upcoming: API Key Sunset

I use my developer api key in combination with an OAuth public app in order to create/manage webhooks, as the public app doesn't have a way to do this. How am I supposed to use the Webhooks API without an API Key?

The webhook api docs state that the only way to use the endpoints is with a "developer API key":


"You can use the following [webhook] endpoints and your developer API key to programmatically configure webhook settings for an app."


Emphasis added - source: https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api

Are you planning on adding a different way to authenticate against the webhook endpoints? 🤔

0 Upvotes
Skipio
Contributor

Upcoming: API Key Sunset

Wait, at the end of your post you have "Developer Account API Keys, for configuring public apps, will still be available for use in Developer Accounts"; does that apply to me for the webhook endpoints?

 

I'm confused on the difference between "API Keys", "Developer Account API Keys", and "Developer API Keys"... aren't they all the same?

0 Upvotes