DEV Community

Alessio Michelini
Alessio Michelini

Posted on

How to replace the API Key with Private Apps in Hubspot

If you are a Hubspot customer, you should now know that the old API Key is now gone, and after the 30th of November 2022 it will no longer be accepted as an authentication method.
And if you are still using it, or you are planning to use Hubspot APIs in the future, the best way to authenticate your calls is via Private Apps.

But what's the difference between the two methods?

To give a bit more context, especially if you are new to the Hubspot's ecosystem, in the past the API Key was a way to authenticate your application against Hubspot's API, like requesting some data about a contact, or submitting a form, etc...
The core problem of the API Key is very simple: it gives root access to all the endpoints. So if somebody manages to get that API Key, he has access to every information available via API requests on your portal, with no restrictions.

Private Apps, while it's still an authentication mechanism via a Token, are different in terms of permissions, as you can allow that token to only access a subset of permissions, or scopes, that you define.
And you can isolate apps in your portal, for example if you have an app that requires only to read the contacts endpoint, you can specify just that, and you can use different permissions with another token to a different application, so in case somebody get access to your token, they only have limited access, and you can turn off, or rotate the key, on a specific project/app, instead the whole portal.

How to create a Private App

To create a new one is fairly simple, just go to your portal settings > Private Apps and click on the Create a private app button.
On the next window just give a name, so you can specify if it relates to a specific app or project you are building, and give the permissions you need, and only those permissions, as if you pass all the permissions, it defeats the purpose to use Private Apps in the first place.

Private Apps Scopes

How to use the Private App Token

The difference between the API Key and the Private App Token, is that the first one use to be passed as a query parameter, hapikey, to your call, for example:

const fetchData = async () => {
  const { data } = await axios
  // rest of code
Enter fullscreen mode Exit fullscreen mode

While Private Apps Token needs to be passed in the header of the request as a Bearer Token, like this:

const fetchData = async () => {
  const { data } = await axios
      headers: {
        Authorization: 'Bearer YOUR_ACCESS_TOKEN'
  // rest of code
Enter fullscreen mode Exit fullscreen mode

Or if you use Axios to do your requests, you can even create an instance, so you set your token only once, and you use that instance for all the requests, like this:

// Import axios
import axios from 'axios';

// Get the token
const {
} = process.env;

// Create your axios instance
const privateAppsAxios = axios.create({
  baseURL: '',
  headers: {
    Authorization: `Bearer ${token}`

// Use it
const fetchData = async () => {
  const { data } = await privateAppsAxios.get('/crm/v3/objects/contacts/');
  // do stuff with data
Enter fullscreen mode Exit fullscreen mode

And that's it, you are ready to go to use Private Apps in Hubspot!

Top comments (1)

martinkasike profile image

sorry i need your whatsap number