Hola! ¡Tenemos nuestra Comunidad en Español!

HAPI Key Security

As it stands the HubSpot API will accept the HAPI Key for all requests.

 

As a corollary this means that anyone who has the HAPI Key can do anything with the account. Such as:

 

  • Export all contact information
  • Send any email campaign
  • Manage users
  • Export and manage deals
  • Etc.

There is no way to limit the power of the HAPI Key in HubSpot which is really a weak point. If the key is ever compromised, the portal is at extreme risk which can do irreparable damage to a company/brand.

 

What is needed is a more comprehensive security setup for HAPI keys. Yes, we can phase them out and move to OAuth, but seriously, the HAPI Key is used in so many integrations by now that it would be literally impossible to "phase out" at this point.

 

So, for the long run I am proposing:

 

  • Create a way to maintain multiple keys and suspend/revoke their access
  • Make it possible to limit them by IP
  • Add an optional hashing mechanism for [sensitive] calls
  • Add a way to fine tune any key's access to different APIs.

As an example, look at SparkPost's API key management:

 

Edit_API_Key___SparkPost-2.jpgAPI_Keys___SparkPost.jpg

 

I would also like to add that the key itself looks like a UUID v4 — not guaranteed to be cryptographically secure.

 

I think you would be better off using other recommended hashing methods to generate guaranteed unique and unguessable keys at least 128bits long. Just my own two cents.

2 Replies
MarkdeLange
Regular Contributor

Great idea, I agree the happykey is a weak spot from a security point of view. 

 

Another use case is where on a global account individual users may need to be restricted to accessing data via the happykey  to assets based on HS teams/brands. 

 

 

hannuCR
Occasional Contributor

Yes, this is definitely a necessary feature, please implement this.