Skip to main content
HubSpot Authentication

How the HubSpot API authenticates requests from workflow automations within CloudTalk

S
Written by Shelby Glynn
Updated over a week ago

Here is a high level overview of HubSpot's authentication logic for workflow automations, and what it means for your workflows.

User Level:

  • Admin


API Authentication

Workflow Automations

As of April 2023, HubSpot has made changes to their security requirements. In alignment with these changes, the security process for API calls made through workflow automations has also changed.

Authorization via OAuth

For requests sent toward the HubSpot API, CloudTalk's backend logic will disregard any existing auth headers (made with private app tokens). Instead, the OAuth authorization configured within your first integration instance with HubSpot will be called on for all workflow automations.

For New and Existing Workflows

  1. Your existing automations will still run. You don't need to change anything about setup, or remove keys that were added. They will just be disregarded in favor of the new security process.

  2. You don't need to include any keys or auth headers in new setups. All you need is your endpoint, query strings, and request body.

  3. You will need to limit workflows to one HubSpot integration. Previously, you may have had multiple HubSpot integration instances on one account, each with its own set of workflow automations. Going forward, only automations from the most recently created integration instance will run.

  4. For custom-built API requests, confirm necessary scopes. Since the authorization method is now the same one used in initial integration setup, scopes will be the same as scopes used in HubSpot integrations. Check that the target entity your request is trying to access is covered by these scopes.

Why did authentication change?

HubSpot's decision to change authentication methods was part of measures being taken to strengthen security. By moving away from API keys, HubSpot has ensured that these keys will no longer be stored indefinitely on their servers. The current methods offer you an extra layer of protection by using access tokens which don't require any keys linked to your data to be stored for long periods of time.

Remember: Security measures used for API requests, such as encryption and authentication, ultimately serve to protect your data's privacy and ensure its integrity as it is sent over a network.


Have more questions? Contact our Support team. We're always here to help you!

Did this answer your question?