> ## Documentation Index
> Fetch the complete documentation index at: https://authsome.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# HubSpot

> Log in to HubSpot from authsome via OAuth2. Tokens are stored locally and refreshed automatically.

HubSpot is a bundled OAuth2 provider in authsome. HubSpot CRM objects: contacts, companies, deals, owners.

## At a glance

|                           |                                                                                                                                                                                                        |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Provider name             | `hubspot`                                                                                                                                                                                              |
| Display name              | HubSpot                                                                                                                                                                                                |
| Auth type                 | OAuth2                                                                                                                                                                                                 |
| Default flow              | `pkce`, PKCE browser flow                                                                                                                                                                              |
| PKCE supported            | No                                                                                                                                                                                                     |
| Device code supported     | No                                                                                                                                                                                                     |
| DCR supported             | No                                                                                                                                                                                                     |
| Default scopes            | `crm.objects.contacts.read`, `crm.objects.contacts.write`, `crm.objects.companies.read`, `crm.objects.companies.write`, `crm.objects.deals.read`, `crm.objects.deals.write`, `crm.objects.owners.read` |
| Proxy host                | `api.hubapi.com`                                                                                                                                                                                       |
| Env var (`access_token`)  | `HUBSPOT_ACCESS_TOKEN`                                                                                                                                                                                 |
| Env var (`refresh_token`) | `HUBSPOT_REFRESH_TOKEN`                                                                                                                                                                                |

## Prerequisites

You need to register an OAuth app with HubSpot once. Create a HubSpot app in the developer dashboard. Configure the OAuth callback URL and request the scopes you need.

The redirect URI must be:

```text theme={null}
http://127.0.0.1:7998/auth/callback/oauth
```

This is the only callback URL authsome's PKCE flow listens on.

Dashboard: [https://app.hubspot.com/developer](https://app.hubspot.com/developer).

<Note>
  HubSpot's OAuth flow does not support PKCE today. Authsome runs the standard authorization-code flow with `client_secret` exchange.
</Note>

## Log in

```bash theme={null}
authsome login hubspot
```

The first time, authsome opens a local form at `http://127.0.0.1:7998` to collect your `client_id` and `client_secret`. They are encrypted in your vault and reused on every subsequent login. A second browser window then opens to `https://app.hubspot.com/oauth/authorize` for the authorization step.

Verify:

```bash theme={null}
authsome get hubspot --field status
# → connected
```

## Custom scopes

The bundled definition requests `crm.objects.contacts.read`, `crm.objects.contacts.write`, `crm.objects.companies.read`, `crm.objects.companies.write`, `crm.objects.deals.read`, `crm.objects.deals.write`, `crm.objects.owners.read`. Override at login time:

```bash theme={null}
authsome login hubspot --scopes "<comma-separated>"
```

The granted scopes are stored on the connection and visible in `authsome get hubspot`.

## Multiple accounts

Pass `--connection <name>` on `login` and on every read command to keep two or more accounts on the same provider side by side. See [Multiple connections per provider](/guides/multiple-connections) for the full pattern.

```bash theme={null}
authsome login hubspot --connection personal
authsome login hubspot --connection work
```

## Use the token

Run the agent under the proxy (recommended).

<CodeGroup>
  ```bash Proxy (recommended) theme={null}
  authsome run -- python my_agent.py
  ```

  ```bash Environment theme={null}
  eval "$(authsome export hubspot --format env)"
  ```
</CodeGroup>

Under the proxy, authsome sets `HUBSPOT_ACCESS_TOKEN=authsome-proxy-managed` in the child's environment and injects the real token into outbound requests to `api.hubapi.com`. The child process never sees the actual value. Refresh tokens are never exported.

## Override the bundled definition

```bash theme={null}
authsome inspect hubspot > ~/.authsome/providers/hubspot.json
# edit scopes, base_url, or anything else
authsome list   # source now shows "custom" for hubspot
```

User-registered files always win over bundled definitions.

## What's next

<Columns cols={2}>
  <Card title="Run agents with the proxy" icon="shield-halved" href="/guides/run-agents-with-proxy">
    Inject the access token into outbound requests without exposing it.
  </Card>

  <Card title="Multiple connections per provider" icon="users" href="/guides/multiple-connections">
    Keep two or more accounts on the same provider side by side.
  </Card>

  <Card title="OAuth providers" icon="right-to-bracket" href="/integrations/oauth/index">
    All bundled OAuth providers.
  </Card>
</Columns>
