Using OAuth 2.0 Access Tokens

OAuth 2.0 access tokens are provided as a bearer token, in the Authorization http header.

The header format is:

Authorization: Bearer {token}
➜ ~ curl -H "Authorization: Bearer CJSP5qf1KhICAQEYs-gDIIGOBii1hQIyGQAf3xBKmlwHjX7OIpuIFEavB2-qYAGQsF4" https://api.hubapi.com/contacts/v1/lists/all/contacts/all\?count\=1

{"contacts":[{"addedAt":1390574181854,"vid":204727,"canonical-vid":204727,"merged-vids":[],"portal-id":62515,"is-contact":true,"profile-token":"AO_T-mMRNC0-gfJqwyy000eKsDDyaZF7WGCDR7nwwcCgdTB_ud0lE0OHxUrRnhmxWNq6S6HEho20pvLJiD20qezzYPyDjqguKvDzVQlldiIxMSJFaYm505BnslV9hABly_GAk5agvp0g","profile-url":"https://app.hubspot.com/contacts/62515/lists/public/contact/_AO_T-mMRNC0-gfJqwyy000eKsDDyaZF7WGCDR7nwwcCgdTB_ud0lE0OHxUrRnhmxWNq6S6HEho20pvLJiD20qezzYPyDjqguKvDzVQlldiIxMSJFaYm505BnslV9hABly_GAk5agvp0g/","properties":{"firstname":{"value":""},"lastmodifieddate":{"value":"1473963575184"},"company":{"value":""},"lastname":{"value":""}},"form-submissions":[],"identity-profiles":[{"vid":204727,"saved-at-timestamp":1471266813356,"deleted-changed-timestamp":0,"identities":[{"type":"LEAD_GUID","value":"f9d728f1-dff1-49b0-9caa-247dbdf5b8b7","timestamp":1390574181878},{"type":"EMAIL","value":"new-email@hubspot.com","timestamp":1471266813256}]}],"merge-audits":[]}],"has-more":true,"vid-offset":204727}%

 In this example, the access token is CJSP5qf1KhICAQEYs-gDIIGOBii1hQIyGQAf3xBKmlwHjX7OIpuIFEavB2-qYAGQsF4

An example, using cURL, to get contacts, using the Authorization header:

Notes:
- HubSpot access tokens will fluctuate in size as we change the information that is encoded the tokens. We recommend allowing for tokens to be up to 300 characters to account for any changes we may make.

- If you're using OAuth 2.0 access tokens, you should not include hapikey= or access_token= in the request URL. The Authorization header is used in place of those query parameters.