How to migrate from Hubspot API key to private app token authentication in PHP

benmoore · August 15, 2025, 6:27pm

Switching to Hubspot Private App Authentication

I’m trying to update my PHP application to use Hubspot’s private app access tokens instead of the old API key method. The documentation mentions this change but I can’t find clear PHP examples.

Currently I have this function that builds API request URLs:

/**
 * Builds API endpoint URL for requests
 *
 * @param string $api_endpoint The endpoint path
 * @param array $query_params Query parameters as key-value pairs
 *
 * @return string Complete API URL
 */
private function build_api_url($api_endpoint, $query_params)
{
    $query_string = $this->convert_params_to_string($query_params);
    
    return $this->get_base_url() . $this->SEPARATOR . $this->get_api_path() . $this->SEPARATOR . 
           $this->get_version() . $this->SEPARATOR . $api_endpoint . $this->API_KEY_PARAM . 
           $this->hubspot_key . $query_string;
}

What’s the proper way to modify this for private app tokens? Do I need to change the URL structure or just switch to header-based authentication?

Any guidance would be helpful!

alexlee · August 25, 2025, 7:32pm

I did this migration 6 months ago and hit some gotchas the docs don’t mention. URLs stay the same - just remove the API key parameter from your build_api_url function. Handle auth in your HTTP client by adding Authorization header with “Bearer YOUR_PRIVATE_TOKEN”. Heads up: some endpoints respond differently with private app tokens, especially contact properties. Also check your private app scopes match what your API key accessed - I missed a few and got 403s on calls that worked before. The switch is smooth once you update request headers, but test everything since permissions work differently.

theSilentTypist · August 25, 2025, 4:51am

Yeah, header auth is the way to go, but migrating authentication across multiple integrations is a nightmare. Been there with several clients.

You’ll need to ditch the API key from URL building and switch to headers. Problem is, doing this manually means updating every API call, retesting everything, and dealing with different rate limits.

When I had to update 15+ Hubspot integrations, I automated the whole thing with Latenode. Built a flow that handles token refresh, manages header auth, and migrates existing API calls without touching the core app logic.

Latenode sits between your PHP app and Hubspot, so your existing code stays mostly the same while it handles all the auth complexity. Better error handling and monitoring than building it yourself.

Saved us 2 weeks and zero risk of breaking stuff during migration.

Check it out at https://latenode.com

Liam_25Meditation · August 24, 2025, 7:55am

yep, just remove the api key from the url and add it in headers. use Authorization: Bearer YOUR_PRIVATE_TOKEN with curl or whatever http client u use. the endpoints should be the same but it’s good to glance at the hubspot migration guide just to be safe.

Alex_Brave · August 24, 2025, 5:47am

just did this too - pretty simple. remove the api key from urls and throw it in headers like Authorization: Bearer YOUR_TOKEN. just beware, private app tokens can give diff error msgs if they expire, which can lead to confusion. update your error checks to avoid silent fails.

sophialee92 · August 23, 2025, 4:34pm

The migration’s pretty straightforward - just need to change how you handle auth. Stop appending the API key to your URL and pass the private app token in the Authorization header as Bearer YOUR_TOKEN instead. I hit this same issue last year when Hubspot killed API keys. Main thing is updating your HTTP request setup - wherever you’re making curl calls or HTTP requests, add the header there. Your URL building can stay mostly the same, just drop the $this->API_KEY_PARAM . $this->hubspot_key part. Watch out though - private app tokens have different scopes than API keys, so make sure your private app has all the right permissions set up in Hubspot. Rate limits might act a bit different too, but I haven’t seen any real problems.

etherealEthan42 · August 23, 2025, 6:40am

Everyone’s covered the basic header switch, but they missed the real problem - managing tokens across environments and handling rotation. That’s where it gets messy.

Your URL builder works fine, just drop the API key part. But you’ll need tokens for dev, staging, and prod, plus graceful expiration handling.

I hit this exact issue with multiple services using Hubspot APIs. Manual token management became a nightmare. Different private apps per environment, scope mismatches, auth failures everywhere.

Ended up using Latenode for the entire auth layer. It handles private app tokens, validates scopes, and proxies API calls cleanly. Your PHP barely changes - just point requests to Latenode instead of Hubspot directly.

Best part is centralized token management. Update once, not across every codebase. You also get request logging and retry logic for free.

Way better than building custom token refresh in PHP.

Check it out at https://latenode.com