Remember, remember, the 30th of November. It’s the deadline for using HubSpot API keys — after the 30th, businesses will need a different solution for authenticating and authorising apps and custom integrations.
As a part of HubSpot’s continuous efforts to boost cybersecurity and protect customer data, HubSpot is phasing out API keys. We explore what all this means for non-technical readers. But first, here’s a summary of who this affects and how organisations can adapt to this change:
HubSpot is removing API keys — who does this impact?
Any HubSpot account utilising custom integrations might be affected by this change. This is because API keys are in common usage as there are only a few methods used to authenticate HubSpot apps and custom integrations, and API keys are the quickest and easiest to set up of the available methods.
For this reason, anyone using custom integrations should review how it’s built and make appropriate adjustments.
What do I need to do?
Once API keys are phased out, HubSpot will no longer authenticate custom integrations or apps that still use API keys. This means that these apps and integrations will no longer be able to communicate with HubSpot and will likely stop working as intended.
Preventing this requires migrating integrations from API key authentication to either HubSpot Private Apps or HubSpot Public Apps using OAuth 2.0. For peace of mind and a seamless migration process, consider contacting the experts.
When is the deadline?
Starting November 30, 2022, all customers will no longer have access to API keys or API key-based authentication.
Phew, now that we’ve gotten the nitty-gritty details, we can focus on explaining key terms and concepts, like what an API is and why we may need keys for them.
What are HubSpot API keys?
For the non-developers in the room, Application Programming Interfaces (APIs) provide a way for two or more different computer programs to speak to each other. Along with defining how pieces of software interact with each other, APIs control requests made between programs, how those requests are made, and the data formats used. This is such a necessary function that you could say the entire internet is stitched together using APIs.
HubSpot’s API enables developers to build custom integrations and apps that help you get the most value out of HubSpot. This is a powerful feature but if bad actors were to gain access to your HubSpot account’s API, then they could retrieve and interact with sensitive business and customer data.
HubSpot API keys improve account security by identifying and authorising projects and applications and limiting API access to those with an API key. So if a developer has the secret code (HubSpot API key), then they can send requests to the HubSpot API. But if you don’t have the secret code, then you’re locked out of the castle with no way of getting in.
The downside to using API keys is that they function like passwords. If a hacker were to get their hands on your API key, then they might exploit it to access data like personal information. Keeping your API key safe requires vigilance from every person with access to it. As a recent CloudSek study shows, data leaks are bound to occur when having faith in people is a crucial feature of your cybersecurity strategy. The digital risk company discovered that the data of over 1.6 million users has been compromised through sloppily handled HubSpot API keys.
Better security through Private and Public HubSpot Apps
Unlike API keys, where all HubSpot integrations share the same secret code, Private and Public Apps enable you to set up separate and distinct access tokens for each integration. While the code still needs to be kept secret, access tokens can be customised to have different levels of API access, giving you greater control over how users access business processes and data.
It’s the difference between giving all users super admin access — as is the case with API keys — and selecting user privileges and permissions based on the integration — as enabled by Private and Public Apps.
While they have similar functions, Private Apps are designed for single HubSpot accounts. Conversely, Public Apps are intended for use by multiple HubSpot accounts.
Don’t let the sun go down on you
Businesses using custom integrations have until November 30, 2022, to ensure they aren’t impacted by HubSpot sunsetting API keys. If you’re in this position, then you have two options. You can replace all API keys with Private or Public App tokens yourself, or you can hire a HubSpot Solutions Partner to do it for you.
At Huble, our Software Integrations and Development Team specialise in helping organisations maximise value from the HubSpot system. Along with building custom integrations, we offer support connecting tools and bespoke solutions. This includes helping businesses migrate from API keys to Private or Public Apps.
If you need support moving away from API keys, then contact us. We’ll come up with a foolproof plan that eliminates the risk of business disruption.
