Using OAuth 2.0 Access Tokens

OAuth 2.0 access tokens are provided as a bearer token, in the Authorization http header.

The header format is:

Authorization: Bearer {token}

Note: HubSpot access tokens will fluctuate in size as we change the information that is encoded the tokens. We recommend allowing for tokens to be up to 300 characters to account for any changes we may make.

An example, using cURL, to get contacts, using the Authorization header:

➜ ~ curl -H "Authorization: Bearer CJSP5qf1KhICAQEYs-gDIIGOBii1hQIyGQAf3xBKmlwHjX7OIpuIFEavB2-qYAGQsF4" https://api.hubapi.com/contacts/v1/lists/all/contacts/all\?count\=1

{"contacts":[{"addedAt":1390574181854,"vid":204727,"canonical-vid":204727,"merged-vids":[],"portal-id":62515,"is-contact":true,"profile-token":"AO_T-mMRNC0-gfJqwyy000eKsDDyaZF7WGCDR7nwwcCgdTB_ud0lE0OHxUrRnhmxWNq6S6HEho20pvLJiD20qezzYPyDjqguKvDzVQlldiIxMSJFaYm505BnslV9hABly_GAk5agvp0g","profile-url":"https://app.hubspot.com/contacts/62515/lists/public/contact/_AO_T-mMRNC0-gfJqwyy000eKsDDyaZF7WGCDR7nwwcCgdTB_ud0lE0OHxUrRnhmxWNq6S6HEho20pvLJiD20qezzYPyDjqguKvDzVQlldiIxMSJFaYm505BnslV9hABly_GAk5agvp0g/","properties":{"firstname":{"value":""},"lastmodifieddate":{"value":"1473963575184"},"company":{"value":""},"lastname":{"value":""}},"form-submissions":[],"identity-profiles":[{"vid":204727,"saved-at-timestamp":1471266813356,"deleted-changed-timestamp":0,"identities":[{"type":"LEAD_GUID","value":"f9d728f1-dff1-49b0-9caa-247dbdf5b8b7","timestamp":1390574181878},{"type":"EMAIL","value":"new-email@hubspot.com","timestamp":1471266813256}]}],"merge-audits":[]}],"has-more":true,"vid-offset":204727}%

 In this example, the access token is CJSP5qf1KhICAQEYs-gDIIGOBii1hQIyGQAf3xBKmlwHjX7OIpuIFEavB2-qYAGQsF4

If you're using OAuth 2.0 access tokens, you should not include hapikey= or access_token= in the request URL. The Authorization header is used in place of those query parameters.