HubSpot
CRMsystem_type: "hubspot"Proxy HubSpot CRM API calls (contacts, deals, companies, tickets) with PQC-sealed OAuth2 tokens and signed payloads.
Overview#
The HubSpot connector proxies calls to the HubSpot v3 CRM API. OAuth2 access and refresh tokens are sealed in QuantaVault with ML-KEM-768 encryption. Every request and response is wrapped in a HybridCryptoEnvelope so your application only ever handles ciphertext.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1A HubSpot private app or OAuth2 app with the required CRM scopes (crm.objects.contacts.read, crm.objects.deals.read, etc.)
- 2Access token or OAuth2 client credentials
- 3A QuantaSeal API key
Configuration#
Follow these steps to connect HubSpot to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In HubSpot, create a Private App under Settings → Integrations → Private Apps.
- 2
Select the required scopes and generate an access token.
- 3
Seal the token: POST /api/v2/vault/seal with credential_type: api_key.
- 4
Create the integration: POST /api/v2/integrations with system_type: hubspot.
- 5
Set allowed_operations to the list of operations your application needs.
Authentication Types#
HubSpot private app tokens map to the api_key credential type. OAuth2 public apps (client ID + secret + refresh token) use oauth2_client. Store either via POST /api/v2/vault/seal.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
get_contact | Retrieve a contact by ID or email. |
create_contact | Create a new CRM contact. |
update_contact | Update contact properties. |
get_deal | Retrieve a deal by ID. |
create_deal | Create a new deal. |
search | Search CRM objects with filters. |
list_companies | List companies with optional pagination. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQR5HUBSPOT001",
"operation": "get_contact",
"payload": {
"contact_id": "12345",
"properties": ["firstname", "lastname", "email", "phone"]
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted HubSpot response>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
401 from HubSpot - token expired
Private app tokens do not expire, but OAuth2 access tokens do. Use oauth2_client credential type so QuantaSeal can automatically refresh using the stored refresh token.
Missing scope error from HubSpot
Add the missing scope to your Private App or OAuth2 app in the HubSpot settings, then re-issue the token and update the vault entry.