As it stands the HubSpot API will accept the HAPI Key for all requests.
As a corollary this means that anyone who has the HAPI Key can do anything with the account. Such as:
There is no way to limit the power of the HAPI Key in HubSpot which is really a weak point. If the key is ever compromised, the portal is at extreme risk which can do irreparable damage to a company/brand.
What is needed is a more comprehensive security setup for HAPI keys. Yes, we can phase them out and move to OAuth, but seriously, the HAPI Key is used in so many integrations by now that it would be literally impossible to "phase out" at this point.
So, for the long run I am proposing:
As an example, look at SparkPost's API key management:
I think you would be better off using other recommended hashing methods to generate guaranteed unique and unguessable keys at least 128bits long. Just my own two cents.
Hi All! As @rad mentioned back in June, we've been working on a more secure alternative to HAPI Keys. We're about to launch a small Private Beta. If you're interested in participating, please complete the form below and someone from the HubSpot Product team will reach out over the next couple of weeks if you meet our beta participant criteria:
Private Beta Form
Hey friends! We should have some updates quite soon on our plan to deprecate many of these risks associated with API keys & replace them with a better system. We're not quite ready to invite folks to try out our new system just yet, but we should have some exciting new things coming in the next few weeks & months to address this. When we do, I'll post an update on this thread!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.