Authentication Overview

HubSpot currently offers two types of API authentication: OAuth and API Key access. All API users are encouraged to use OAuth for security purposes, and app developers are required to do so if your app is public and listed in the HubSpot App Makrketplace. If you're developing internally for your organization, you can generate a HubSpot API key here.

Note the difference between using OAuth and API keys in your calls, which is simply a difference in the authentication paraleter used in your calls:

• For OAuth: &access_token=TOKEN
• For API Keys: &hapikey=KEY

HubSpot currently offers three editions: Basic, Professional, and Enterprise. Direct API access is limited to Professional and Enterprise customers only, as well as access to eCommerce and CRM Integration applications. All of the HubSpot products, including Basic, do have access to the HubSpot APIs via OAuth, making the use of OAuth incredibly valuable for any public HubSpot app.

OAuth, (or Open Authorization) is an open standard for authorization. It allows users to share their private resources (e.g. leads, blog posts, prospects) stored on HubSpot with another site without having to hand out their credentials, typically username and password. Continue reading for more information on OAuth and how we've implemented it in HubSpot

If you aren't familiar with OAuth, you can read some of these resources before getting started:

• Main OAuth website: http://oauth.net/2/ (links to the spec, some implementations, etc.)
• Background with examples from Facebook: http://www.sociallipstick.com/?p=239
• Google's OAuth Playground is excellent: http://googlecodesamples.com/oauth_playground/index.php
• Here is a video that does a good job at explaining how OAuth is implemented at Google, which is identical to how we've done it here at HubSpot. To see the OAuth flow, jump ahead to 34:55 in the video, but the whole talk is a great introduction to OAuth in general. Remember, for any questions, please ask them in our Developer Forum: