Earlier this summer, HubSpot announced that it is sunsetting its API Key on November 30, 2022. Moreover, as of July 15, 2022, users cannot even create an API key in their portals if they do not already have one. Since its announcement, many marketers have wondered whether this change will impact their company and any integrations with HubSpot. As of this writing, HubSpot's documentation on this change is lacking, as is their support team's knowledge of the change. So, let's change that!
In this blog post, let's dive into the specifics of the API Key sunset, HubSpot's rationale, the specific areas of HubSpot impacted and how to migrate to their new Private Apps solution.
Let's get back to basics: API stands for "Application Programming Interface." An API allows data from one application to get pushed to another. So if you're a HubSpot user but also use other software platforms, you'll need an API to push data from those apps into HubSpot so that everything syncs.
That said, APIs are not an "open door" that allows any platform to access your data in HubSpot. To do that, an API must first go through authentication to ensure it has permission to read and/or write data. HubSpot offers three methods for API authentication: Private App, OAuth and an API key. That last authentication method (API key) is what is being sunsetted.
Why Is HubSpot sunsetting the API key?
HubSpot is full of data tied to individual contacts, companies and deals. When organizations add users to their HubSpot portals, it's not uncommon for them to customize permissions to ensure that users only read or write certain data. While API keys are convenient for organizations looking to integrate platforms, they have one significant shortcoming: they provide unfettered read and write access to data. You cannot customize what the API key accesses in HubSpot as you can with user accounts.
Best practice calls for "rotating" API keys on a cadence anywhere from one to six months. However, many clients we've worked with have never rotated their keys! This poses a security risk for an organization's data if the API key becomes compromised. With a compromised API key, malicious actors could have unlimited access to data in HubSpot.
HubSpot recognizes this inherent risk, which is why it's sunsetting the use of its API key later this year. Instead, organizations need to use the Private App or OAuth authentication method. Both methods allow more control over the data integrations that can request or change within your portal.
Unsurprisingly, HubSpot's announcement has created tremendous confusion for tech marketers who are not developers and do not have advanced knowledge about APIs. For example, many people think "API" and "API key" are the same thing, but they're not! (If it helps, remove "API" and call it a "key" instead! ) HubSpot's API is staying; HubSpot's API key method of authentication is going away.
That said, it's reasonable to understand why there might be some panic amongst tech marketers with integrations they utilize, especially the popular HubSpot-Salesforce integration downloaded through the HubSpot App Marketplace. But don't panic: for companies to list integrations within the HubSpot App Marketplace (e.g., Calendly, G2, Salesforce, etc.), they must use the OAuth authentication option. As such, the sunset of the API key does not impact integrations downloaded through the App Marketplace.
Phew, we can breathe a sigh of relief there.
For custom integrations (e.g., with a platform that does not have a native integration with HubSpot), they may use the HubSpot API key. We recommend conferring with whoever developed your custom integration to see whether it uses the API key or not. Tech marketers can also look at their API Key Call Log at "https://app.hubspot.com/api-key/{PORTAL_ID}/call-log." This will show any recent calls made using the API key.
If any of your integrations are affected, you should work with your developer to update its authentication method from an API key to a Private App before November 30.
The Private App method uses a static access token as authorization instead of the API key within the HTTP header. According to HubSpot's Developer docs:
"Private Apps work much the same as API key integrations would, with the main change being that they use a static access token in the Authorization HTTP header, instead of using the API key in a query parameter to authorize the API request. No other changes should be required aside from updating the authentication method."
HubSpot encourages migrating from the API Key authentication to Private Apps since it’s simpler. However, Private Apps do not support extensions, custom timeline events, or webhooks. If your custom integration uses any of these, you need to migrate to the OAuth method instead. The same goes if multiple HubSpot portals use the integration.
For more information on Private Apps, I recommend directing your developers to the Developer Doc on Private Apps written by HubSpot.