What’s changing?

API Keys have been one of three authentication methods supported by HubSpot APIs. However, as part of ongoing efforts to protect our customer's data, we will be sunsetting API Keys.

As a result of this change, integrations will instead be required to work with Private Apps. Private Apps offer tighter security and allow more granular control over your integrations and account data than legacy API keys.

What this means for developers:

With the introduction of Private Apps, users who previously developed on HubSpot and utilized API Keys will now be required to migrate existing integrations from using API Key authentication to using Private Apps instead. Instructions for how to migrate existing integrations can be found here.

Why the Change?

Private Apps allow you to set up a separate static access token for each integration. Private App access tokens are also scoped like OAuth access tokens, so you can control the access that each integration has to your HubSpot account.

Private Apps work much the same as API key integrations do, with the main change being that they use a static access token in the Authorization HTTP header, instead of using the API key in a query parameter to authorize the API request. No other changes should be required of your integration aside from updating the authentication method.

If your integration is intended to be used by multiple HubSpot accounts, you must update your integration to be a Public App using OAuth 2.0. Private Apps cannot be used for multi-account apps. OAuth 2.0 provides the same security features as Private Apps, but provides a much better experience for HubSpot users, allowing them to quickly connect their HubSpot account to your app without additional code.

When is this change happening?

After November 30, we will begin the process of deprecating API Keys and your API keys will no longer be supported by HubSpot.  You will therefore be using API keys at your own risk.

As of  July 15, 2022, we no longer allowed new API keys to be created. Existing API keys will work until November 30th, but accounts which did not have an API key, as of July 15, 2022, will not have access to create a new API key. 

In order to begin using Private Apps immediately, please see the documentation for Private Apps. 

Developer Account API Keys, for configuring public apps, will still be available for use in Developer Accounts after November 30, 2022 and will not be affected by the API Key Sunset.

The migration guide linked above will remain your source of truth for information and questions regarding the API key sunset. If you have a question which hasn't been answered, reach out to Customer Support.