For Agents
Inspect, refresh, and revoke HubSpot OAuth access and refresh tokens to manage the credential lifecycle for HubSpot integrations.
Get started with Auth Oauth in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"refresh a hubspot oauth access token"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with Auth Oauth API.
Inspect a HubSpot OAuth access token to read user, portal, and scope metadata
Inspect a refresh token to read its expiry and granted scopes
Refresh a HubSpot access token using a refresh token grant
Revoke a refresh token to terminate a HubSpot integration's session
Verify the portal id encoded in a HubSpot OAuth credential before use
GET STARTED
Use for: I need to refresh an expired HubSpot access token, Get the scopes granted to a HubSpot OAuth access token, Retrieve the portal id encoded in a HubSpot access token, Revoke the refresh token for a deauthorized HubSpot install
Not supported: Does not initiate the OAuth authorization code flow, render consent screens, or read CRM data — use only for inspecting, refreshing, and revoking HubSpot OAuth tokens.
The HubSpot OAuth API covers token introspection and refresh for HubSpot's OAuth 2.0 flow. GET /oauth/v1/access-tokens/{token} returns metadata for an access token including the user, the portal id, and the granted scopes, while GET /oauth/v1/refresh-tokens/{token} returns equivalent metadata for a refresh token. POST /oauth/v1/token completes the standard refresh-token grant to mint a new access token, and DELETE /oauth/v1/refresh-tokens/{token} revokes a refresh token. The endpoints are unauthenticated at the HTTP level because they take the token to inspect or exchange in the path or body.
Patterns agents use Auth Oauth API for, with concrete tasks.
★ Refresh an expired access token
HubSpot access tokens expire roughly every 30 minutes, so production integrations refresh them on demand. POST /oauth/v1/token with grant_type=refresh_token and the refresh token returns a new access token plus the refresh token's remaining lifetime. The integration stores the new access token and continues making calls.
Call POST /oauth/v1/token with grant_type=refresh_token, the client_id, client_secret, and refresh_token, then store the returned access_token
Verify token scopes before a sensitive call
Before running a destructive workflow, an integration calls GET /oauth/v1/access-tokens/{token} to confirm the scopes attached to the credential. The response includes the user, hub_id, and scopes array, so the integration aborts if a required scope is missing rather than failing midway.
Call GET /oauth/v1/access-tokens/{token} and abort if the scopes array is missing the required crm.objects.contacts.write value
Revoke a refresh token after uninstall
When a customer uninstalls a HubSpot app, the integration must revoke the stored refresh token so it cannot be used again. DELETE /oauth/v1/refresh-tokens/{token} invalidates the token, and a follow-up GET on the same path returns 404, confirming the revocation.
Call DELETE /oauth/v1/refresh-tokens/{token} with the stored refresh token, then GET the same path to confirm a 404 response
Agent integration via Jentic
An auth-management agent can keep HubSpot credentials fresh on behalf of installed apps. Through Jentic the agent searches for the refresh operation, loads the schema, and executes the refresh-token grant. The client secret stays in the Jentic vault and never enters the agent's context.
Search Jentic for 'refresh a hubspot oauth access token', load POST /oauth/v1/token, and execute with grant_type=refresh_token and the stored refresh token
4 endpoints — the hubspot oauth api covers token introspection and refresh for hubspot's oauth 2.
METHOD
PATH
DESCRIPTION
/oauth/v1/access-tokens/{token}
Retrieve OAuth access token metadata
/oauth/v1/refresh-tokens/{token}
Retrieve refresh token metadata
/oauth/v1/refresh-tokens/{token}
Revoke a refresh token
/oauth/v1/token
Refresh an access token
/oauth/v1/access-tokens/{token}
Retrieve OAuth access token metadata
/oauth/v1/refresh-tokens/{token}
Retrieve refresh token metadata
/oauth/v1/refresh-tokens/{token}
Revoke a refresh token
/oauth/v1/token
Refresh an access token
Three things that make agents converge on Jentic-routed access.
Credential isolation
OAuth client secrets and refresh tokens are stored encrypted in the Jentic vault. Refresh and introspection calls run through scoped session tokens so the raw secret never enters the agent's context.
Intent-based discovery
Agents search Jentic with intents like 'refresh a hubspot oauth access token' and Jentic returns the matching POST /oauth/v1/token operation with its input schema.
Time to first call
Direct integration: a few hours to wire token storage, refresh-on-expiry logic, and revocation on uninstall. Through Jentic: under an hour — search, load, execute against the four token endpoints.
Alternatives and complements available in the Jentic catalogue.
HubSpot Account Info
Use the access token from this API to read the connected portal's metadata
Use after refreshing or inspecting an access token to confirm portal context
HubSpot Auth API
Equivalent OAuth introspection and refresh endpoints under hubapi.com
Choose this when the integration is built against the hubapi.com vendor namespace
Auth0 Authentication API
Auth0 covers token introspection and refresh in a centralised identity platform
Choose Auth0 when you broker HubSpot access through a centralised identity provider
Okta API
Okta provides token introspection and revocation for OAuth-protected applications
Choose Okta when HubSpot access is fronted by Okta SSO and tokens are managed there
Specific to using Auth Oauth API through Jentic.
What authentication does the HubSpot OAuth API use?
The four endpoints do not require a separate Authorization header — the token to be inspected or refreshed is supplied either in the path or in the request body. The refresh endpoint requires the OAuth client_id and client_secret in the body alongside the refresh_token. Through Jentic the client secret stays in the vault.
Can I see which scopes a HubSpot access token has?
Yes. GET /oauth/v1/access-tokens/{token} returns a JSON body that includes the user, hub_id, and scopes array, so an integration can verify the granted permissions before calling endpoints that require specific scopes.
What are the rate limits for the HubSpot OAuth API?
The spec does not declare per-endpoint limits. OAuth endpoints share HubSpot's broader rate limits, but the refresh endpoint should be called only when the access token is near expiry — refreshing on every call is wasteful and can trigger throttling at the account level.
How do I refresh a HubSpot access token through Jentic?
Search Jentic for 'refresh a hubspot oauth access token', load the schema for POST /oauth/v1/token, and execute with grant_type=refresh_token, the client_id, client_secret, and refresh_token. Jentic returns the new access_token and its expires_in value.
How do I revoke a refresh token after a customer uninstalls?
Call DELETE /oauth/v1/refresh-tokens/{token} with the refresh token. The endpoint returns 204 on success and the token is no longer usable. A follow-up GET on the same path returns 404, which confirms the revocation.
Is the HubSpot OAuth API free?
All four endpoints are included with HubSpot's developer platform. There is no per-call charge for token introspection, refresh, or revocation.