HubSpot is Removing API Keys – What Does It Mean For You?

Newsflash: HubSpot to phase out API keys!

API keys have been one of the three authentication methods supported by HubSpot APIs. However, as a part of HubSpot’s continuous efforts to improve cybersecurity and protect customer data, HubSpot is phasing out API keys.

From November 30, 2022, folks will not be able to use HubSpot API keys as an authentication method. They will need to use a private app access token or OAuth to authenticate API calls.

Private apps provide intense security and allow more granular control of your integrations and account data than legacy API keys. Therefore, as a result of this change, you need to migrate to private apps.

In this blog post, we’ll talk about what all this change means, who this affects, and how organizations can adapt to this change.

What are HubSpot API keys?

With HubSpot API keys, your developers can create custom applications with HubSpot’s APIs. Each key is specific to a HubSpot account, not a single user, and only one key is allowed at a time. HubSpot API keys improve account security by identifying and authorizing projects and applications and limiting API access to those with an API key. You can use API keys for:

• Creating custom functionality like custom objects
• Creating custom integrations and making webhook calls
• Making associations or updating the objects through API calls

How Can this Change Impact Your Business?

If your existing integrations use webhooks or custom timeline events, then you would need to shift to public apps for future updates in these features. Since there are only one or two methods to authenticate HubSpot apps and custom integrations, API keys are the most commonly used ones.

API keys are the easiest and quickest way to set up the available methods. For this reason, you should review how it’s built and make appropriate adjustments.

API keys are being phased out to make way for HubSpot’s CRM V3 API. Therefore, HubSpot is using this opportunity to sunset the eCommerce Bridge API and the Accounting Extension API on 1 December, 2022. The eCommerce Bridge API will need to be migrated to use HubSpot’s latest CRM V3 API.

This change can impact your business in the following ways:

• You will no longer authenticate custom integrations or apps that still use API keys.
• Your existing third-party integrations will no longer be able to communicate with API. So, in the future, you need to make API calls via Public Apps.

Also, you’ll need to migrate your API keys to Public Apps wherever they are used for custom integration purposes. However, the good news is that ‘native applications’, the ones you integrate via the HubSpot App marketplace or those you have already integrated via the App Marketplace, remain unaffected.

How Private & Public HubSpot Apps are More Secure for Businesses

If you’ve built an internal integration that uses a HubSpot API key, your API key will have both read and write and access to all of your HubSpot CRM data. And it can be a security risk if your API key is compromised. By migrating to a private app, you can authorize the particular scopes that your integration needs. It generates an access token that limits the data that your integration can request or change in your account. In addition, while API keys need token refreshing, private app access tokens do not. In addition, private and public apps are more secure for businesses because:

• They enable you to set up separate and distinct access tokens to each section.
• They offer a better degree of control over read-write attributes, especially when compliance is a top priority for so many businesses.

Also, Private Apps are a good option for one-off scripts or single API calls. For instance, you can use a Private App to create a new custom object or to import CRM records from a CSV file if you’re using a script. Private Apps can also be used in CMS serverless functions or code snippets in a chatbot. When used in the HubSpot Private App, keys can be securely stored as a secret and used to make API requests by referencing that secret.

You can check out the documentation for Private Apps for more details on creating and using Private Apps.

Which Integrations Will be Affected?

Here are some integrations that need to be updated.

• Any Integration Using an API Key to Access HubSpot:

  API keys updated in your HubSpot portal will be working till 30th November 2022.

• Zapier Integrations Using Webhooks with API Key Authentication:

  Standard Zapier integrations are built using OAuth, which isn’t impacted by this update. Those that use webhooks will need to be updated.

• Integromat/Make Integrations Using Webhooks With API Key Authentication:

  ‘Make’ (previously known as Integromat) standard integrations are not impacted by this update. Those that use webhooks will need to be updated.

How Can Grazitti Help?

To prevent your HubSpot integration from breaking you need to create a private app, assign the appropriate scopes, and then deploy the app’s token. This work should be conducted by an expert API developer.

And this is where Grazitti can help. Our HubSpot experts have the right experience & expertise to complete the migration for you. As HubSpot partners, we’ve been aware of this upcoming change for some time. Therefore, we have designed a process that delivers perfect results every time, avoids downtime, and ensures that no data is lost during your API key to Private App Migration.

Conclusion

You can still create/update custom objects and its associations after the HubSpot API key sunset with Private Apps. Also, native integrations will not be affected by the phasing out of API keys. However, if you don’t migrate your custom integrations, your integrations will no longer work after November 30, 2022, and will return a 404 error. So, migrate your affected integrations timely to ensure that your business is secure and running smoothly.

Need an Extra Set of Hands to Migrate to HubSpot Private Apps? Let’s Talk!