Skip to main content
GrN.dk

Main navigation

  • Articles
  • Contact
  • Your Digital Project Manager
  • About Greg Nowak
  • Services
  • Portfolio
  • Container
    • Excel Freelancer
    • Kubuntu - tips and tricks
    • Linux Apache MySQL and PHP
    • News
    • Image Gallery
User account menu
  • Log in

Breadcrumb

  1. Home

HubSpot OAuth v1 deprecation: what old CRM integrations need next

As of June 16, 2026, HubSpot has turned an old technical shortcut into a dated risk with a clear end point. On May 12, 2026, HubSpot announced that the legacy OAuth v1 API will be deprecated on February 16, 2027. If your business relies on custom CRM integrations, agency-built HubSpot apps, lead-routing middleware, or internal reporting tools, this is no longer background maintenance. It is a scheduled remediation job.

That matters for owners and operations leads because older OAuth code is rarely isolated. It often sits in install callbacks, refresh jobs, webhook handlers, disconnect flows, support scripts, and forgotten wrappers. When one of those paths still calls the old endpoints, the integration can look healthy right up until authentication starts failing. HubSpot has also explained why it wants teams off the old flow: the v1 endpoints accept sensitive values in query parameters or URL paths, which increases the chance of secrets ending up in logs, browser history, or telemetry.

Which setups deserve attention first

The urgent cases are the ones where your team or agency still owns custom code that talks to HubSpot OAuth directly. If you maintain marketplace apps and received HubSpot's email listing app IDs that recently hit v1 endpoints, treat that as a live inventory list and use it to scope the cleanup before February 16, 2027 arrives.

Setup Risk level What to do now
Custom integration already using /oauth/2026-03/* Low Retest refresh, introspection, and revoke flows. Confirm secrets are not leaking into URLs or logs.
Older custom app or middleware using /oauth/v1/* High Schedule a migration project now. Replace token, introspect, and revoke calls before February 16, 2027.
Marketplace app named in HubSpot's sunset email High Trace every referenced code path and confirm which installs, tenants, or client workflows depend on it.
Project-based HubSpot app on 2025.2 Medium Update platformVersion to 2026.03 in hsproject.json and run hs project upload.
Project-based HubSpot app on 2023.1, 2023.2, or 2025.1 Medium to high Run hs project migrate, then re-add any needed secrets with hs secret add.
A quick triage view: the OAuth sunset is the hard deadline, but some teams also have nearby HubSpot platform-version work.

What actually changed

The old endpoints HubSpot is retiring are familiar: POST /v1/token, GET /v1/access-tokens/{token}, GET /v1/refresh-tokens/{token}, and DELETE /v1/refresh-tokens/{token}. Their replacements are POST /oauth/2026-03/token, POST /oauth/2026-03/token/introspect, and POST /oauth/2026-03/token/revoke.

The important difference is not just the path name. HubSpot's current guidance is to send sensitive fields in a form-encoded request body instead of the URL. The install URL, consent page, and requested scopes stay the same, so the frontend install experience usually does not need a redesign. The backend token handling does. HubSpot also documents that access tokens expire after 30 minutes, so refresh handling needs to use the returned expires_in value rather than vague assumptions.

There is a second operational change that teams often miss: error handling. HubSpot's 2026-03 OAuth responses include standard OAuth fields such as error and error_description, while older HubSpot-specific fields remain available for compatibility. If your monitoring, retry logic, or user-facing error messages still depend on legacy response shapes, this is the time to standardize them.

What a proper cleanup project includes

This is where the work becomes billable in the real world. A solid migration is not a single code edit. It normally includes:

  • Searching code, configuration, CI/CD scripts, tests, serverless functions, webhooks, SDK wrappers, and admin utilities for references to /oauth/v1/token, /oauth/v1/access-tokens, and /oauth/v1/refresh-tokens.
  • Replacing authorization-code exchanges and refresh logic with POST /oauth/2026-03/token, using form-encoded body fields for client_id, client_secret, code or refresh_token, grant_type, and redirect_uri where relevant.
  • Replacing token metadata lookups with POST /oauth/2026-03/token/introspect and updating downstream code for the newer response model.
  • Replacing disconnect or uninstall logic with POST /oauth/2026-03/token/revoke.
  • Reviewing logs, APM tools, reverse proxies, and support scripts to confirm client IDs, client secrets, authorization codes, and tokens are no longer visible in URLs.
  • Running a full non-production test of install, refresh, introspect, revoke, and failure handling before rollout.

If your team previously adopted HubSpot's short-lived /v3 OAuth endpoints, HubSpot now recommends moving those paths to /oauth/2026-03 so they align with the broader date-based versioning model.

When HubSpot app versioning widens the scope

Not every OAuth migration also needs app-platform work, but many agency-built HubSpot solutions do. HubSpot now ships new developer platform and API versions every March and September. The current platform version 2026.03 became available on March 30, 2026, and HubSpot says version 2025.1 will be deprecated on August 1, 2026. If you maintain project-based apps, you may be dealing with two deadlines at once: the app platform lifecycle and the OAuth v1 sunset.

For a project already on 2025.2, the upgrade path is straightforward: change platformVersion in hsproject.json to 2026.03 and run hs project upload. For apps on 2023.1, 2023.2, or 2025.1, HubSpot's documented route is hs project migrate. If those older apps defined environment variables in serverless.json, HubSpot notes that you may need to recreate them as secrets with hs secret add. HubSpot also recommends using CLI version 8.4.0 or newer before you start.

Why this is worth handling deliberately

The cheapest version of this work is a planned cleanup completed before the deadline. The expensive version is discovering, under pressure, that a forgotten revoke call or refresh job still depends on the legacy flow. For most firms, the sensible engagement is a short discovery pass, a fixed migration scope, then a staged rollout with test evidence and log review. That gives leadership something concrete: known risk, known deadline, and a bounded remediation plan.

If you want that kind of practical audit and migration scope before February 16, 2027, talk to Greg. He can help turn a vague HubSpot dependency into an ordered cleanup project with clear owners, risks, and next steps.

Need help with this kind of work?

Need a scoped audit and migration plan for older HubSpot integrations? Talk to Greg. Get in touch with Greg.

Sources

  • v1 OAuth API Deprecation
  • Migrate from the OAuth v1 API to the latest date-based versioned API
  • Manage OAuth access tokens with the 2026-03 API
  • Developer platform and API versioning
  • Migrate an existing app to the latest version of the developer platform (2026.03)
Last modified
2026-06-24

Tags

  • hubspot
  • oauth
  • CRM integrations
  • hubspot apps
  • security

Review Greg on Google

Greg Nowak Google Reviews

 

Illustrated infographic summarizing: If the Facts Need JavaScript, AI Search May Miss the Full Page
If the Facts Need JavaScript, AI Search May Miss the Full Page
2026-07-14

A practical guide to finding and fixing JavaScript rendering gaps that can hide services, prices, contact details and metadata from AI search crawlers.

Illustrated infographic summarizing: Search Console Can See Social Posts—Your Reports Need a New Map
Search Console Can See Social Posts—Your Reports Need a New Map
2026-07-13

Search Console now reports how social posts perform across Google. Here’s a practical way to manage properties, permissions, baselines and exports.

Illustrated infographic summarizing: WordPress 7.0 Has an AI Client. Plugins Need Their Own Guardrails
WordPress 7.0 Has an AI Client. Plugins Need Their Own Guardrails
2026-07-12

WordPress 7.0 standardizes how plugins call AI providers, while leaving developers responsible for access control, cost limits, capability checks and graceful failures.

Illustrated infographic summarizing: Google’s AI Search toggle needs a test plan, not a gut decision
Google’s AI Search toggle needs a test plan, not a gut decision
2026-07-11

Google’s AI Search control creates a measurable publishing choice. Test visibility, traffic and leads before changing the setting across your site.

Illustrated infographic summarizing: OpenAI Is Retiring Agent Builder: Save the Workflow, Not Just Prompts
OpenAI Is Retiring Agent Builder: Save the Workflow, Not Just Prompts
2026-07-10

OpenAI retires Agent Builder on November 30, 2026. Here is what teams need to preserve, how to choose a migration path, and how to cut over safely.

Illustrated infographic summarizing: AI agents need a browser policy before they start clicking around
AI agents need a browser policy before they start clicking around
2026-07-09

Browser-using AI agents can save time, but they need clear rules before they enter CRMs, CMSs, portals, or admin tools and start taking action.

Illustrated infographic summarizing: When AI writes JSON, one bad field can break the workflow
When AI writes JSON, one bad field can break the workflow
2026-07-08

Structured AI output is useful in real workflows, but teams need schemas, validation, retries, and logs before JSON reaches production systems.

Illustrated infographic summarizing: AI search is eating the click: measure the queries before rewriting pages
AI search is eating the click: measure the queries before rewriting pages
2026-07-07

AI summaries are cutting into search clicks. Start with a practical dashboard that shows query risk, bot purpose, page value, and crawler policy.

Illustrated infographic summarizing: AI shopping visibility now depends on boring product-data plumbing
AI shopping visibility now depends on boring product-data plumbing
2026-07-07

AI-assisted shopping puts more pressure on ecommerce catalog data, feeds, schema, prices, availability, and return-policy governance.

Illustrated infographic summarizing: Drupal AI Demos Need a Permissions Rehearsal Before Launch
Drupal AI Demos Need a Permissions Rehearsal Before Launch
2026-07-07

Drupal’s July 2026 AI advisories show why agencies should test permissions, uploads, approval loops, logs, and rollback before client demos go live.

More articles
RSS feed

GrN.dk web platforms, web optimization, data analysis, data handling and logistics.