The current implementation allows for one active API key at a time. In order to keep things secure, it is suggested that the key is rotated on a schedule. However, in order to do so, you must deactivate the existing key when creating a new one. This would, in many implementations, create downtime. That is a noted issue here: https://knowledge.hubspot.com/integrations/how-do-i-get-my-hubspot-api-key
"While this may create downtime and require effort, it adds a layer of security by..."
For some implementations, including ours, where this key must be updated across several servers, this is not ideal.
I'd like to see the ability to have at least 2 API keys allowed at a time. This would allow us to create a new API key and roll out the new one without affecting any live integrations. Then once the new API key has been rolled out, we can deactivate the old one.
Hi all, we've introduced Private Apps as the new and improved alternative to API Keys. When rotating a private app access token, you can choose to expire the original access token at a later time. You can also create multiple private apps in one account and restrict its access to just what the app needs. To learn more, view our Private App documentation.
Hey Riccardo! That's a great idea to have some sort of API key partitioning. It is not a possibility at this time within HubSpot, butI've heard of it before, and I've found a post in the ideas forum that mentions a similar thing. I'd start there since the more upvotes it gets, the better change it has of becoming a reality 🙂
@RiccardoPisani, I've already upvoted that feature request, but the more requests like these we get, the more likely the product team will prioritize its development.
This is a must have feature especially when you ask third party developper to access a specific part of Hubspot. I would like or example give an access to a web agency to develop content without having access to our customer database.
This would be awesome!! Having more than 1 API key can help governance, shutdowns, and security.
If some other application is integrated with HubSpot and has been compromised, I could only turn off or rotate that API Key, without having to go over all other applications to reset the API Key.
Also, would help sunset integrations easily just by revoking that API key.
Keeping a Log for each API Key, and having in the property details' view informing the name of the API Key that authorized that update. Many times I see the property was updated via API but from where? This would also improve trackability, troubleshooting, and governance.
Imagine a lot of growing companies use HubSpot, they change systems at a high pace, and integrations are built and demolished constantly. This would help a lot the operations of growing companies.
I agree the idea would be helpful. I'm not sure how likely this one is to happen since its been open a long time.
I have added a separate idea that maybe more likely to get implemented, where we can just have the "Rotate and expire later" option added, so we can at least have 2 for a short time frame. This is already present on Private/Public Apps.
This is definitely needed for us as well. Along with the options to integrate some form of rights concept so I can give our external developers different rights. This is also a GDPR issue for us as not everybody should have access to contact data.
Hi all, we've introduced Private Apps as the new and improved alternative to API Keys. When rotating a private app access token, you can choose to expire the original access token at a later time. You can also create multiple private apps in one account and restrict its access to just what the app needs. To learn more, view our Private App documentation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
