It’s time to rotate your API Key – don’t get shocked if you receive such an email or message from HubSpot. You will receive it every six months. If you already know what API keys are, you can skip the next couple of paragraphs and go straight to the heading “API keys don’t get invalidated unless withdrawn” where we talk about HubSpot API Keys.
What are API Keys?
API stands for Application Programming Interface. An API key is also known as a code or a secret authentication token or a unique identifier that is used to call a program to a website or two applications. The API key comes with specific user rights that are required for interacting with two applications or services. API Keys are an easy way for two services to communicate.
An API key looks like this: 39HISDHsd9j49tHSDEFJ494393hsidfh49a9dH
As you can see, these are random and kept unique each time. Once the two applications in question or the two services validate the same API key at their ends, the integration or the access becomes successful.
API Keys Don’t Get Invalidated Unless Withdrawn
Talking about withdrawing, HubSpot asks its users to change their API keys in the 6 months cycle. It’s for increased security purposes. HubSpot sends emails to notify the users to change their API keys. Those who see such emails panic because the other software providers usually do this when their security is breached. However, in the case of HubSpot, this a regular practice. Users have to rotate their API keys for security purposes.
HubSpot API Keys Give Admin Access of the HubSpot Portal to the User/Tool.
Limiting access to the API keys will allow you to control its admin access. The move will prevent every user/tool to have admin access to the portal. But, when you change the API key, then those users/tools that have limited access won’t be able to access anything.
API key rotations or password changes do happen when an employee leaves the company. It is standard practice. Similarly, HubSpot has made it regular practice covering all such scenarios and even those which you don’t anticipate. HubSpot’s doing its job of ringing the bell. Some users even do it every three months.
Here’s how you create and rotate the HubSpot Key
Click on the Settings to open the settings dashboard
On the left sidebar, you will multiple options, Click on Integrations, when you click on integrations, you will see the following options; API key, Connected apps, Ecommerce Email Integrations, click on the API Key.
If you are creating the HubSpot API key for the first time, you will have a view like you see below. You will see Create key button, when you click on the button, a dialog box with reCAPTCHA will appear. When you tick that box, you will have your HubSpot API key.
If you have created your HubSpot API key, then instead of Create a key button, you will see the Actions button.
When you click on the Actions button, two options will appear, ‘Rotate Key’ and ‘Deactivate key’. The Deactivate key option just deactivates the current HubSpot API key. The Rotate Key option gives you the option to deactivate the current key and re-generate the new HubSpot API key.
When you click on the Rotate Key button, the following dialog box appears. You will have to click on ‘Rotate and Expire this key now’ to proceed further.
Clicking on the button generates your new API key, once you tick on the reCAPTCHA, you will, you will have your new HubSpot API. Share it with your developers and for other integration purposes.
You may experience downtime until you replace the API key on all the places. The downtime is worth it because changing the API key is necessary and adds a layer of security to your website.
HubSpot, prioritizing its security can still be hacked. It does have its loopholes when integrated to unsecured third party tools or when not following the account security property. Checkout our detailed edition on security risks with HubSpot websites. Click on the image below.