Manage OAuth tokens
Use the OAuth tokens API to generate and manage tokens needed for authorizing your public app and the requests it makes. For example, you'll need to use this API to fetch the initial access and refresh tokens during the app installation process. You'll then use it to continue generating new tokens when the old ones expire. Learn more about working with OAuth.
Before you can use these endpoints, you'll have to create a public app. A user will then need to install it into their account to initiate OAuth access.
After creating your app, a user can install it into their HubSpot account using they'll use the install URL located in the app's settings, which will include the client_id
, redirect_uri
, and scopes
as query parameters. You may also include optional_scopes
and state
, if needed. Learn more about initiating OAuth for your app.
After a user authorizes your app and installs it into their account, the redirect URL will be appended with a code
value, which you can use to generate an access token and a refresh token. The access token will be used to authenticate requests that your app makes, while the refresh token will be used to get a new access token when the current one expires.
To get OAuth access and refresh tokens, make a URL-form encoded POST
request to /oauth/v1/token
. In the request body, you'll specify various auth parameters, such as client_id
and client_secret
, along with the code
passed back through the redirect URL.
After a user authorizes your app, the redirect URL will be appended with a code
value. Using this code, you'll generate the initial access token and refresh token. Access tokens are short-lived, and you can check the expires_in
parameter when generating an access token to determine its lifetime (in seconds).
For example, your request may look similar to the following:
Parameter | Type | Description |
---|---|---|
grant_type
| String | Must be |
code
| String | The |
redirect_uri
| String | The app's set redirect URL. |
client_id
| String | The app's client ID. |
client_secret
| String | The app's client secret. |
In the response, you'll receive the access token along with the refresh token, which you can use to refresh the access token. The expires_in
field specifies how long the access token will last (in seconds).
Using a refresh token, you can generate a new access token by making a URL-form encoded POST
request to /oauth/v1/token
. In the request body, you'll specify the grant_type
, client_id
, client_secret
, and refresh_token
.
Parameter | Type | Description |
---|---|---|
grant_type
| String | Must be |
refresh_token
| String | The refresh token value. |
client_id
| String | The app's client ID. |
client_secret
| String | The app's client secret. |
To get information about an OAuth access token, including the user that the token was created for and their corresponding Hub ID, make a GET
request to /oauth/v1/access-tokens/{token}
.
You'll receive a response containing information about the user their HubSpot account.
If a user uninstalls your app, you can delete the refresh token by making a DELETE
request to /oauth/v1/refresh-tokens/{token}
. This will only delete the refresh token. Access tokens generated with the refresh token will not be deleted. Additionally, this will not uninstall the application from HubSpot accounts or inhibit data syncing between the app and account.
Thank you for your feedback, it means a lot to us.