HubSpot currently offers two types of API authentication: OAuth and API Key access. All API users are encouraged to use OAuth for security purposes, and app developers are required to do so if your app is public and listed in the HubSpot App Marketplace. If you're developing internally for your organization, you can generate a HubSpot API key here.
Note the difference between using OAuth and API keys in your calls, which is simply a difference in the authentication parameter used in your calls:
HubSpot currently offers three editions: Basic, Professional, and Enterprise. Direct API access is limited to Professional and Enterprise customers only, as well as access to eCommerce and CRM Integration applications. All of the HubSpot products, including Basic, do have access to the HubSpot APIs via OAuth, making the use of OAuth incredibly valuable for any public HubSpot app.
OAuth, (or Open Authorization) is an open standard for authorization. It allows users to share their private resources (e.g. leads, blog posts, prospects) stored on HubSpot with another site without having to hand out their credentials, typically username and password. Continue reading for more information on OAuth and how we've implemented it in HubSpot
If you aren't familiar with OAuth, you can read some of these resources before getting started:
The OAuth specification defines something called a "scope" which is a particular type of data access, also conceptually similar to a particular permission. This page defines the scopes we use here at HubSpot, and describes the experience that a typical user would have from using a HubSpot application with OAuth configured.
If your app or service is accessing the HubSpot APIs, you will use an OAuth Access Token to access user data instead of using an API Key. Once you get access to a user's OAuth Access Token, it's as simple as replacing "hapikey" with "access_token" in all HubSpot API calls that you're making. More on using OAuth in HubSpot apps on this page.
If you have an existing app in the HubSpot Marketplace, canvas or external, the following is meant to help you convert your app from using the old API authentication system (api keys) to our new OAuth system using (access tokens).