HubSpot Ideas

Hani-RT

Allow more than one active API key at a time

The current implementation allows for one active API key at a time.   In order to keep things secure, it is suggested that the key is rotated on a schedule.  However, in order to do so, you must deactivate the existing key when creating a new one.  This would, in many implementations, create downtime.  That is a noted issue here:  https://knowledge.hubspot.com/integrations/how-do-i-get-my-hubspot-api-key

"While this may create downtime and require effort, it adds a layer of security by..."

 

For some implementations, including ours, where this key must be updated across several servers, this is not ideal.

 

I'd like to see the ability to have at least 2 API keys allowed at a time.  This would allow us to create a new API key and roll out the new one without affecting any live integrations.  Then once the new API key has been rolled out, we can deactivate the old one.

 

I found a related idea (https://community.hubspot.com/t5/APIs-Integrations/Multiple-API-Key-needed/m-p/292462) and I'll upvote that and it's related ticket in the approved solution, but I'm not sure it covers the exact same scenario.

12 Comentarios
RiccardoPisani
Colaborador líder

Hi there Hubspotters, 

 

we use several tools integrated with Hubspot thru our API key!

 

Would be great having the possibility to:

1) have multiple API keys and assign them to different ppl

2) keep track of the API quota easily for each of them in order to get a big picture on the API consumption 

 

If you know any tool that can intgrates with HubSpot and helps me with that, please share it with me 🙂

 

I hope you will find this Idea useful!

 

Kind regards,

Riccardo

cbarley10
Colaborador

Hey Riccardo! That's a great idea to have some sort of API key partitioning. It is not a possibility at this time within HubSpot, butI've heard of it before, and I've found a post in the ideas forum that mentions a similar thing. I'd start there since the more upvotes it gets, the better change it has of becoming a reality 🙂 

IsaacTakushi
HubSpot Employee

Thanks for jumping in, @cbarley10!

 

@RiccardoPisani, I've already upvoted that feature request, but the more requests like these we get, the more likely the product team will prioritize its development.

RiccardoPisani
Colaborador líder

Hi there, that would be great!

 

Do you think that HubSpot could provide me with a summary of the number of API calls grouped by day and IP / domain from last 8 weeks.

 

Thanks a ton

Riccardo

IsaacTakushi
HubSpot Employee

Hi, @RiccardoPisani.

 

I'll DM you. I might be able to meet you half way.

GregoryB
Miembro

I totally agree.

 

This is a must have feature especially when you ask third party developper to access a specific part of Hubspot. I would like or example give an access to a web agency to develop content without having access to our customer database.

matheusjiran
Colaborador | Partner nivel Diamond

This would be awesome!! Having more than 1 API key can help governance, shutdowns, and security. 

If some other application is integrated with HubSpot and has been compromised, I could only turn off or rotate that API Key, without having to go over all other applications to reset the API Key.

Also, would help sunset integrations easily just by revoking that API key.

Keeping a Log for each API Key, and having in the property details' view informing the name of the API Key that authorized that update. Many times I see the property was updated via API but from where? This would also improve trackability, troubleshooting, and governance.

 

matheusjiran_0-1624984013381.png

 

Imagine a lot of growing companies use HubSpot, they change systems at a high pace, and integrations are built and demolished constantly. This would help a lot the operations of growing companies.


Saw this on Stripe is genius!!

EPopa
Miembro

Realy need this "downtime" fixed.

Amazon Web Services uses 2 keys at a time so you can rotate them with no downtime.

 

 

JYoder
Miembro

I agree the idea would be helpful.  I'm not sure how likely this one is to happen since its been open a long time. 

I have added a separate idea that maybe more likely to get implemented, where we can just have the "Rotate and expire later" option added, so we can at least have 2 for a short time frame.  This is already present on Private/Public Apps.

 

https://community.hubspot.com/t5/HubSpot-Ideas/Add-quot-Rotate-and-expire-later-quot-to-API-Key/idi-...

JBonfante
Miembro

yes this please..... 

MKnoedgen
Colaborador

This is definitely needed for us as well. Along with the options to integrate some form of rights concept so I can give our external developers different rights. This is also a GDPR issue for us as not everybody should have access to contact data.

laurieq
Equipo de producto de HubSpot

Hi all, we've introduced Private Apps as the new and improved alternative to API Keys. When rotating a private app access token, you can choose to expire the original access token at a later time.  You can also create multiple private apps in one account and restrict its access to just what the app needs. To learn more, view our Private App documentation