Note: The final date for apps without redirect URLs being blocked from authorizing new users has been updated from April 3 to May 15.

Beginning on February 1st, 2023, public apps will be required to set a redirect URL in order to create or update an app. Any app that does not have a redirect URL set will be blocked from authorizing new users beginning on May 15th, 2023.

What's changing?

When a user connects an app to their HubSpot account, they use an authorization URL that includes a redirect_uri that is used to redirect users back to the external application after granting access to the app. The redirect_uri is validated against the redirect URL set in the auth settings for the app.

Currently, apps are not required to set a redirect URL in the settings. Apps that do not have redirect URL in the auth settings won't validate the redirect_uri, which can allow authorization URLs to be built that could appear to connect an app but redirect to a third-party site without the HubSpot user knowing.  Please note that the app's client secret is required to generate an access token that would be used to access HubSpot data.

Requiring a redirect URL to be set will ensure that HubSpot users will only be redirected to your app website when connecting your app.

As part of this update, apps will be able to set multiple redirect URLs, in the case where an app needs to redirect to multiple places, or to support multiple environments (such as QA/testing environments).

URLs using http://localhost/ URLs will still be supported for testing while you're building your app.

Due to this change, since a static set of specific redirect URLs will be required, apps will no longer be able to use dynamic redirect URLs for individual users or accounts. If your app uses a different redirect URL for each install, your app will need to handle the redirects separately after the user is redirected from HubSpot back to your app, such as by tracking the user using the state parameter. You can find details on how to do this in this documentation.

When is this happening?

Apps will begin supporting multiple URLs starting today, and you can set up multiple redirect URLs in your app settings now.

New developer accounts created after October 31, 2022 will be required to include at least one redirect URL when creating or updating apps. App creation for developer accounts created before this date will not be affected at this time.

All existing apps will be required to include at least one redirect URL to save the settings on February 1st, 2023. This change will affect all apps in all developer accounts.

Apps without a set redirect URL will be blocked from authenticating new users starting on May 15, 2023. Existing refresh tokens that were previously created will continue to function, so this will only affect new connections and not existing users of your app.

Please let us know if you have any questions by joining the discussion in our community.