Token types
The OAuth authorization flow involves three distinct token types:- Authorization code: a temporary, single-use code that’s provided in the redirect URL as a query parameter when the user approves the installation of your app. Your app then has a short window to exchange it for an access token and a refresh token, after which the authorization code cannot be reused.
- Access token: your app’s authentication credential used for every API request made on behalf of the user and the account where they installed your app. This token is provided as a Bearer token in the request, and expires after 30 minutes.
- Refresh token: your app’s long-term authentication credential that you can use to generate a new access token after the previous one expires.
Initiate OAuth access
After you create your app, a user can install it into their HubSpot account using the install URL located in your app’s settings, which will include theclient_id, redirect_uri, and scopes as query parameters. You may also include optional_scopes and state, if needed.
For example, the Node.js code block below demonstrates how to construct this authorization URL:
code query parameter, which you can use to generate an access token and a refresh token. The access token will be used to authenticate requests that your app makes, while the refresh token will be used to get a new access token when the current one expires.
Generate initial access and refresh tokens
After a user authorizes your app, the response will include acode value as a query parameter. Using this code, you’ll generate the initial access token and refresh token. Access tokens are short-lived (30 minutes), and you can check the expires_in parameter when generating an access token to determine its lifetime (in seconds).
To get OAuth access and refresh tokens, make a URL-form encoded POST request to /oauth/v3/token. In the request body, you’ll specify various auth parameters, such as client_id and client_secret, along with the code passed back through the redirect URL.
For example, your request may look similar to the following:
In the response, you’ll receive the access token along with the refresh token, which you can use to refresh the access token. The
expires_in field specifies how long the access token will last (in seconds).
Refresh an access token
Using a refresh token, you can generate a new access token by making a URL-form encodedPOST request to /oauth/v3/token. In the request body, you’ll specify the grant_type, client_id, client_secret, and refresh_token.
Retrieve access token metadata
To get information about an OAuth access token, including the user that the token was created for and their corresponding Hub ID, make aPOST request to /oauth/v3/token/introspect, providing the following form URL-encoded properties in the request body:
For example, if you wanted to query for details about the
refresh_token of na1-aaaa-bbbb-cccc-dddd-eeeeeeeeeeee, your form URL-encoded request body would include:
access_token and refresh_token grant types.
- Access token metadata
- Refresh token metadata
Error handling
When querying for access or refresh tokens, if an OAuth error occurs, the response will resemble the following:status and message fields that were included in previous versions of the OAuth token API endpoints are still available for backwards compatibility.