Apps and Data sync
      Back to home
      1. Internal FVM-Knowledge-Base
      2. HubSpot: General
      3. Apps and Data sync

      Rotating Tokens in HubSpot

      In this article, you'll learn what a token is and how to rotate it.

      What is a Token?

      A token is a security key used to authenticate API requests. In HubSpot, this refers to access tokens for private apps that are connected to HubSpot. These tokens allow apps to access the HubSpot API and perform actions within a HubSpot account.

       

      Why Should the Token Be Rotated?

      It is recommended to update the access token every six months. This has several benefits:

      • Following API security best practices: Regularly rotating the token reduces the risk of unauthorized access.
      • Updating permissions: If the HubSpot account's license has changed (e.g., due to an upgrade or downgrade), rotating the token ensures that the app still has the correct permissions.

      Conclusion

      It doesn’t hurt to rotate the token regularly.

      Why Am I Receiving Automatic Notifications from HubSpot?

      HubSpot sends email notifications to Super Admins to inform them about the token rotation status. These notifications occur in the following cases:

      • A token rotation has been initiated.
      • A pending rotation has been canceled.
      • A token has been immediately invalidated.
      • The token will expire in 24 hours.
      • The token has been successfully rotated and expired after seven days.
      • The token has not been rotated for more than 180 days (reminder email).

      How Do I Rotate the Token Correctly?

      Updating a token is done directly in HubSpot settings:

      1. Log in to your HubSpot account.
      2. Click on Settings in the main navigation bar.
      3. Go to Integrations > Private Apps.
      4. Select the desired private app.
      5. Click Rotate next to your access token.
      6. Choose one of the following options:
        • "Rotate and expire now": The old token will be immediately invalid.
        • "Rotate and expire later": The old token will remain active for seven more days before expiring.
        • If you need to replace the token earlier, click "Expire now".
        • If you need more time, you can cancel the process by clicking "Cancel rotation", which prevents the expiration of the original token.

      Who Can Rotate the Token?

      • Super Admins automatically receive notifications about upcoming or required token rotations and can rotate the token.
      • Depending on company policies, developers or IT administrators may also have access to these settings.

      Should the Customer Be Notified?

      In most cases, it is not necessary to inform the customer directly when a token is rotated. However, if the private app is connected to external customer software or API-dependent services, you should ensure that there are no disruptions and inform the customer if necessary.

      For more information, visit: HubSpot Developer Docs.