As of June 16, 2026, HubSpot has turned an old technical shortcut into a dated risk with a clear end point. On May 12, 2026, HubSpot announced that the legacy OAuth v1 API will be deprecated on February 16, 2027. If your business relies on custom CRM integrations, agency-built HubSpot apps, lead-routing middleware, or internal reporting tools, this is no longer background maintenance. It is a scheduled remediation job.
That matters for owners and operations leads because older OAuth code is rarely isolated. It often sits in install callbacks, refresh jobs, webhook handlers, disconnect flows, support scripts, and forgotten wrappers. When one of those paths still calls the old endpoints, the integration can look healthy right up until authentication starts failing. HubSpot has also explained why it wants teams off the old flow: the v1 endpoints accept sensitive values in query parameters or URL paths, which increases the chance of secrets ending up in logs, browser history, or telemetry.
Which setups deserve attention first
The urgent cases are the ones where your team or agency still owns custom code that talks to HubSpot OAuth directly. If you maintain marketplace apps and received HubSpot's email listing app IDs that recently hit v1 endpoints, treat that as a live inventory list and use it to scope the cleanup before February 16, 2027 arrives.
| Setup | Risk level | What to do now |
|---|---|---|
Custom integration already using /oauth/2026-03/* |
Low | Retest refresh, introspection, and revoke flows. Confirm secrets are not leaking into URLs or logs. |
Older custom app or middleware using /oauth/v1/* |
High | Schedule a migration project now. Replace token, introspect, and revoke calls before February 16, 2027. |
| Marketplace app named in HubSpot's sunset email | High | Trace every referenced code path and confirm which installs, tenants, or client workflows depend on it. |
Project-based HubSpot app on 2025.2 |
Medium | Update platformVersion to 2026.03 in hsproject.json and run hs project upload. |
Project-based HubSpot app on 2023.1, 2023.2, or 2025.1 |
Medium to high | Run hs project migrate, then re-add any needed secrets with hs secret add. |
What actually changed
The old endpoints HubSpot is retiring are familiar: POST /v1/token, GET /v1/access-tokens/{token}, GET /v1/refresh-tokens/{token}, and DELETE /v1/refresh-tokens/{token}. Their replacements are POST /oauth/2026-03/token, POST /oauth/2026-03/token/introspect, and POST /oauth/2026-03/token/revoke.
The important difference is not just the path name. HubSpot's current guidance is to send sensitive fields in a form-encoded request body instead of the URL. The install URL, consent page, and requested scopes stay the same, so the frontend install experience usually does not need a redesign. The backend token handling does. HubSpot also documents that access tokens expire after 30 minutes, so refresh handling needs to use the returned expires_in value rather than vague assumptions.
There is a second operational change that teams often miss: error handling. HubSpot's 2026-03 OAuth responses include standard OAuth fields such as error and error_description, while older HubSpot-specific fields remain available for compatibility. If your monitoring, retry logic, or user-facing error messages still depend on legacy response shapes, this is the time to standardize them.
What a proper cleanup project includes
This is where the work becomes billable in the real world. A solid migration is not a single code edit. It normally includes:
- Searching code, configuration, CI/CD scripts, tests, serverless functions, webhooks, SDK wrappers, and admin utilities for references to
/oauth/v1/token,/oauth/v1/access-tokens, and/oauth/v1/refresh-tokens. - Replacing authorization-code exchanges and refresh logic with
POST /oauth/2026-03/token, using form-encoded body fields forclient_id,client_secret,codeorrefresh_token,grant_type, andredirect_uriwhere relevant. - Replacing token metadata lookups with
POST /oauth/2026-03/token/introspectand updating downstream code for the newer response model. - Replacing disconnect or uninstall logic with
POST /oauth/2026-03/token/revoke. - Reviewing logs, APM tools, reverse proxies, and support scripts to confirm client IDs, client secrets, authorization codes, and tokens are no longer visible in URLs.
- Running a full non-production test of install, refresh, introspect, revoke, and failure handling before rollout.
If your team previously adopted HubSpot's short-lived /v3 OAuth endpoints, HubSpot now recommends moving those paths to /oauth/2026-03 so they align with the broader date-based versioning model.
When HubSpot app versioning widens the scope
Not every OAuth migration also needs app-platform work, but many agency-built HubSpot solutions do. HubSpot now ships new developer platform and API versions every March and September. The current platform version 2026.03 became available on March 30, 2026, and HubSpot says version 2025.1 will be deprecated on August 1, 2026. If you maintain project-based apps, you may be dealing with two deadlines at once: the app platform lifecycle and the OAuth v1 sunset.
For a project already on 2025.2, the upgrade path is straightforward: change platformVersion in hsproject.json to 2026.03 and run hs project upload. For apps on 2023.1, 2023.2, or 2025.1, HubSpot's documented route is hs project migrate. If those older apps defined environment variables in serverless.json, HubSpot notes that you may need to recreate them as secrets with hs secret add. HubSpot also recommends using CLI version 8.4.0 or newer before you start.
Why this is worth handling deliberately
The cheapest version of this work is a planned cleanup completed before the deadline. The expensive version is discovering, under pressure, that a forgotten revoke call or refresh job still depends on the legacy flow. For most firms, the sensible engagement is a short discovery pass, a fixed migration scope, then a staged rollout with test evidence and log review. That gives leadership something concrete: known risk, known deadline, and a bounded remediation plan.
If you want that kind of practical audit and migration scope before February 16, 2027, talk to Greg. He can help turn a vague HubSpot dependency into an ordered cleanup project with clear owners, risks, and next steps.
Need help with this kind of work?
Need a scoped audit and migration plan for older HubSpot integrations? Talk to Greg. Get in touch with Greg.