Last modified: August 22, 2025
HubSpot closely monitors usage of all APIs to ensure a quality experience for every user. All app and integration developers must comply with the HubSpot Acceptable Use Policy and API Terms. While HubSpot reserves the right to change or deprecate the APIs over time, updates will always be provided in advance through the Developer Changelog.
Authentication and security
For optimal security, all apps must use HubSpot’s OAuth protocol directly, or use your app’s static auth token if you’re building an app installed in a single account. Apps are responsible for storing time-to-live (TTL) data and refreshing user access tokens in accordance with this protocol. When an access token is generated, it will include anexpires_in parameter indicating how long it can be used to make API calls before refreshing. Unauthorized (401) requests are not a valid indicator that a new access token must be retrieved.
Checking API usage
Apps built on v2025.2 of the developer platform
To view API usage for your apps built on the new developer platform:- In your HubSpot account, navigate to Development in the main navigation bar.
- In the left sidebar menu, navigate to Monitoring > API call usage.
- Your API usage across all your apps will be listed at the top of the page. You can also review usage for the apps you built in your specific account, along with any third-party apps you’ve installed.
Legacy apps
To view API usage for a legacy private app:- In your HubSpot account, navigate to Development in the main navigation bar.
- In the left sidebar menu, navigate to Legacy apps.
- Click the name of the private app.
- On the app details page, click the Logs tab.
- Review the API calls listed in the table. You can also use the search bar, filters, and date pickers to further refine the displayed API calls.
Learn more about checking API usage in legacy private apps.
To view API usage for a public app using OAuth:
- In your HubSpot account, navigate to Development in the main navigation bar.
- In the left sidebar menu, navigate to Legacy apps.
- Click the name of the app.
- In the left sidebar menu, navigate to Monitoring.
- Use the tabs to view different types of requests being made to or from the app. While viewing these logs, you can click an individual request to view more information.
Learn more about monitoring API usage for legacy public apps.
Rate Limits
OAuth app burst limit
For apps with OAuth authentication, each HubSpot account that installs your app is limited to 110 requests every 10 seconds. This excludes the Search API. Limits related to the API limit increase don’t apply.App limits
The number of calls your app can make is based on your account subscription in the account it’s installed in, and whether you’ve purchased the API limit increase:| Product Tier | Per 10 Seconds | Per Day | |
|---|---|---|---|
| Apps | (Any Hub) Free and Starter | 100 / app | 250,000 / account |
| (Any Hub) Professional | 190 / app | 625,000 / account | |
| (Any Hub) Enterprise | 190 / app | 1,000,000 / account | |
| Apps with API Limit Increase | (Any Hub) Free, Starter, Professional, and Enterprise | 250 / app | 1,000,000 / account on top of your base subscription, for each limit increase. You can purchase a maximum of two API limit increases. |
Other limits
Some features and APIs have more specific limits that are listed below.App and account limits
- You can create up to 100 legacy public apps per developer account.
- You can create up to 20 legacy private apps per HubSpot account.
- You can create up to 1,000 webhook subscriptions per app.
- You can create up to 25 CRM extension settings per legacy public app.
Timeline event limits
Timeline events in a legacy public appare subject to the following limits:- You can create up to 750 timeline event types per public app.
- You can create up to 500 properties per timeline event type.
- Each serialized event instance has the following size limits:
- 500 bytes for the event instance ID
- 510 KB per property/token
- 1 MB in total size for the event instance
Custom event limits
Custom events are subject to the following limits:- There is a limit of 500 unique event definitions per account.
- There is a limit of 30 million event completions per month.
- The send custom event completions endpoint supports up to 1250 requests per second.
- The custom event completion batch endpoint supports batches of 500.
Request limits
Keep the following general limits in mind when making requests to HubSpot’s API endpoints. Some APIs may also have their own, more specific limits which will be listed on the API reference page under Limits.
- The search API endpoints are rate limited to five requests per second per authentication token, and 200 records per page request.
- API requests that are exempt from daily or secondary limits will not be logged in HubSpot. If you want to store these exempted requests, you’ll need to log these requests externally.
- Batch requests to CRM object endpoints are limited to 100 records per request. For example, you can’t batch read more than 100 contacts per request.
Service Limits
Learn more about service limits and pricing here.Error Responses
Any app or integration exceeding its rate limits will receive a429 error response for all subsequent API calls. Requests resulting in an error response shouldn’t exceed 5% of your total daily requests. If you plan on listing your app in the HubSpot App Marketplace, it must stay under this 5% limit to be certified.
The 429 response will have the following format:
message and policyName will indicate which limit you hit (either daily or secondly).
The daily limit resets at midnight based on your time zone setting.
The following table details the rate limit headers included in the response of each API request to HubSpot, subject to the exceptions listed below the table.
| Header | Description |
|---|---|
X-HubSpot-RateLimit-Daily | The number of API requests that are allowed per day. Note that this header is not included in the response to API requests authorized using OAuth. |
X-HubSpot-RateLimit-Daily-Remaining | The number of API requests still allowed for the current day. Note that this header is not included in the response to API requests authorized using OAuth. |
X-HubSpot-RateLimit-Interval-Milliseconds | The window of time that the X-HubSpot-RateLimit-Max and X-HubSpot-RateLimit-Remaining headers apply to.For example, a value of 10000 would be a window of 10 seconds. |
X-HubSpot-RateLimit-Max | The number of requests allowed in the window specified in X-HubSpot-RateLimit-Interval-Milliseconds.For example, if this header had a value of 100, and the X-HubSpot-RateLimit-Interval-Milliseconds header was 10000, the enforced limit would be 100 requests per 10 seconds. |
X-HubSpot-RateLimit-Remaining | The number of API requests still allowed for the window specified in X-HubSpot-RateLimit-Interval-Milliseconds. |
- The
X-HubSpot-RateLimit-SecondlyandX-HubSpot-RateLimit-Secondly-Remainingheaders are still included and will still have accurate data, but the limit referenced by these headers is no longer enforced and these two headers should be considered deprecated. - Responses from the search API endpoints will not include any of the rate limit headers listed above.
Address rate limit issues
The sections below detail two possible ways you can reduce the volume of API traffic if you repeatedly hit your API request limit. If you’re running into theTEN_SECONDLY_ROLLING limit, you should throttle the requests that your app is making to stay under that limit. In addition to throttling the requests, or if you’re running into the daily limit, check out the suggestions below.
If you find that you’re still hitting the call limits after looking through these suggestions, please post on HubSpot’s developer forums. You should include as many details as possible about the APIs you’re using, how you’re using them, and which limit you’re hitting.