Upcoming: API Key Sunset
Announced: June 1, 2022
Live: November 30, 2022
API Keys have been one of three authentication methods supported by HubSpot APIs. However, as part of ongoing efforts to protect our customer's data, we will be sunsetting API Keys.
As a result of this change, integrations will instead be required to work with Private Apps. Private Apps offer tighter security and allow more granular control over your integrations and account data than legacy API keys.
What this means for developers:
With the introduction of Private Apps, users who previously developed on HubSpot and utilized API Keys will now be required to migrate existing integrations from using API Key authentication to using Private Apps instead. Instructions for how to migrate existing integrations can be found here.
Why the Change?
Private Apps allow you to set up a separate static access token for each integration. Private App access tokens are also scoped like OAuth access tokens, so you can control the access that each integration has to your HubSpot account.
Private Apps work much the same as API key integrations would, with the main change being that they use a static access token in the Authorization HTTP header, instead of using the API key in a query parameter to authorize the API request. No other changes should be required aside from updating the authentication method.
If your integration is intended to be used by multiple HubSpot accounts, you must update your integration to be a Public App using OAuth 2.0. Private Apps should not be used for multi-account apps. OAuth 2.0 provides the same security features as Private Apps, but provides a much better experience for HubSpot users, allowing them to quickly connect their HubSpot account to your app without additional code.
When is this change happening?
Starting November 30, 2022, all customers will no longer have access to API Keys and in-turn will no longer be able to use API Keys as an authentication method with HubSpot APIs.
Starting July 15, 2022, we will no longer allow new API keys to be created. Existing API keys will work until November 30th, but accounts which do not have an API key, as of July 15, 2022, will not have access to create a new API key. API calls made with API keys on or after Nov 30, 2022 will return 401 errors.
In order to begin using Private Apps immediately, please see the documentation for Private Apps.
Developer Account API Keys, for configuring public apps, will still be available for use in Developer Accounts after November 30, 2022 and will not be affected by the API Key Sunset.
The migration guide linked above will remain your source of truth for information and questions regarding the API key sunset. If you have a question which hasn't been answered, reach out to Customer Support.