HubSpot
HubSpotsaas3 credentials
Private App Access Token
hubspot / private-app-access-token
HubSpot private apps use an access token to make API calls to the account where the private app is installed. HubSpot documents setting the Authorization header to Bearer [YOUR_TOKEN].
Location
HUBSPOT_ACCESS_TOKEN, HUBSPOT_PRIVATE_APP_TOKEN, HUBAPI_TOKENAuthorizationBearer token used for HubSpot API requests
.env files, integration config, workflow automation settings, and deployment manifests
CI/CD variables, cloud secret managers, hosted app secrets, and platform config vars
CRM integrations, examples, tests, and accidentally committed automation scripts
API client traces, webhook handler logs, and CI output
Notes
Private app tokens inherit the scopes selected for the private app and are tied to a single HubSpot account.
OAuth Access / Refresh Token
hubspot / oauth-access-refresh-token
HubSpot public apps use OAuth authorization tokens rather than passwords. HubSpot documents OAuth installation with client ID and client secret, and apps exchange authorization grants for access and refresh tokens.
Location
AuthorizationBearer access token for HubSpot API calls
OAuth token endpoint responses containing access_token and refresh_token
public app installation token stores by portal/account
HUBSPOT_ACCESS_TOKEN, HUBSPOT_REFRESH_TOKENOAuth example config, local token caches, and integration settings
encrypted app token stores and cloud secret managers
OAuth callback logs and token exchange debug output
Notes
OAuth token blast radius depends on installed scopes and the HubSpot account where the app was authorized.
OAuth Client Secret
hubspot / oauth-client-secret
HubSpot OAuth apps use a client ID and client secret to build the authorization URL and complete OAuth token exchange. HubSpot documents using the client secret when setting up OAuth authentication.
Location
HUBSPOT_CLIENT_ID, HUBSPOT_CLIENT_SECRETOAuth backend config, app settings, .env files, and deployment manifests
cloud secret managers, CI/CD variables, and hosted app secrets
OAuth handlers, examples, tests, and committed app config
token exchange request dumps and OAuth troubleshooting output
Notes
Client secret exposure can allow impersonation of the HubSpot public app in OAuth token exchange flows.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.