Public Beta: Automatic Deactivation of Exposed Tokens

To enhance the security of our platform and protect our customers, we are introducing an automatic token deactivation public beta feature on October 8th, 2024, for any HubSpot tokens publicly exposed in GitHub repositories. This update is designed to mitigate the risks of token exposure by automatically deactivating the identified tokens and notifying the affected customers and their associated technical contacts. 

The new feature will include the following token types listed below, along with examples of the notifications communicating detected token deactivation:

• Developer API Keys (associated with Developer Portals)

• Personal Access Keys (associated with the CLI)

• Private App Tokens

• SMTP Tokens

*Note: Users are responsible for manually generating a new SMTP token after it's been automatically deactivated.

What's changing?

• Automated Deactivation: Any HubSpot tokens exposed in public GitHub repositories will be automatically deactivated once identified. This process will be initiated by GitHub using a regex-based detection mechanism.
• Customer Notifications: Upon detection, affected customers and their technical contacts will receive notifications via email and in-app, guiding them through the necessary remediation steps.
• Opt-In Period: Before mandatory enforcement, customers can opt into these changes from October 8th, 2024, to April 7th, 2025. This opt-in period allows customers to test and prepare for the full rollout. After this opt-in period, this feature will be enforced, and any exposed tokens will be automatically deactivated once notified via email and in-app banners.

What does this mean for developers?

To avoid service disruption, developers using affected tokens (API Keys, Personal Access Keys, Private App Tokens, SMTP Tokens) must ensure they are not exposed in public repositories. Developers must generate new tokens and update their integrations if a token is revoked.

There is a particular concern regarding private apps. Developers using private app tokens should be aware that these tokens will also be subject to the same automatic revocation process. 

When is this happening? 

This feature is being introduced to public beta on October 8th, 2024, and will be live and enforced on April 7th, 2025.

To opt into this beta feature, please refer to the Product Updates by clicking on your HubSpot account's profile picture, navigating to In beta, and clicking on Join Beta. For more information, please refer to the documentation.

Questions or comments? Join us in the developer forums.