Using OAuth 2.0 Access Tokens

OAuth 2.0 access tokens are provided as a bearer token, in the Authorization http header.

The header format is:

Authorization: Bearer {token}

An example, using cURL, to get contacts, using the Authorization header:

➜ ~ curl -H "Authorization: Bearer CJSP5qf1KhICAQEYs-gDIIGOBii1hQIyGQAf3xBKmlwHjX7OIpuIFEavB2-qYAGQsF4" https://api.hubapi.com/contacts/v1/lists/all/contacts/all\?count\=1

{"contacts":[{"addedAt":1390574181854,"vid":204727,"canonical-vid":204727,"merged-vids":[],"portal-id":62515,"is-contact":true,"profile-token":"AO_T-mMRNC0-gfJqwyy000eKsDDyaZF7WGCDR7nwwcCgdTB_ud0lE0OHxUrRnhmxWNq6S6HEho20pvLJiD20qezzYPyDjqguKvDzVQlldiIxMSJFaYm505BnslV9hABly_GAk5agvp0g","profile-url":"https://app.hubspot.com/contacts/62515/lists/public/contact/_AO_T-mMRNC0-gfJqwyy000eKsDDyaZF7WGCDR7nwwcCgdTB_ud0lE0OHxUrRnhmxWNq6S6HEho20pvLJiD20qezzYPyDjqguKvDzVQlldiIxMSJFaYm505BnslV9hABly_GAk5agvp0g/","properties":{"firstname":{"value":""},"lastmodifieddate":{"value":"1473963575184"},"company":{"value":""},"lastname":{"value":""}},"form-submissions":[],"identity-profiles":[{"vid":204727,"saved-at-timestamp":1471266813356,"deleted-changed-timestamp":0,"identities":[{"type":"LEAD_GUID","value":"f9d728f1-dff1-49b0-9caa-247dbdf5b8b7","timestamp":1390574181878},{"type":"EMAIL","value":"new-email@hubspot.com","timestamp":1471266813256}]}],"merge-audits":[]}],"has-more":true,"vid-offset":204727}%

 In this example, the access token is CJSP5qf1KhICAQEYs-gDIIGOBii1hQIyGQAf3xBKmlwHjX7OIpuIFEavB2-qYAGQsF4

If you're using OAuth 2.0 access tokens, you should not include hapikey= or access_token= in the request URL. The Authorization header is used in place of those query parameters.