Overview
Over time HubSpot’s developer platform had become a bit of a mess. One way this mess surfaced to users was multiple conflicting systems for developers to integrate with a HubSpot account: API keys and OAuth apps.
This had several downstream effects on the overall developer and user experience.
It made the platform more confusing for novices
These two methods didn’t have the same feature support
This wouldn’t scale well with platform updates on the roadmap
API keys had major security flaws that unnecessarily expose HubSpot user data
User problem
For HubSpot users: API keys represented a huge, largely invisible security vulnerability. They could be unknowingly exposing their account data, including customer PII.
For platform developers: It was much too easy to accidentally expose API keys, and much too difficult to fix it. Even though API keys are much easier to use, some savvy devs fell back to building OAuth apps for the security benefits. For novice developers, the multiple ways of building integrations was often confusing.
Our primary goal was to reduce the surface area of potential vulnerabilities. Our secondary goal was to eventually reduce the overall complexity of the platform by introducing a unified app development model.
My Approach
This project began with significant exploratory research, to both understand the scope of the problem and explore potential design directions. I went through several iterations of user flow and interaction designs utilizing HubSpot's established design system. Those designs and the initial implementation were then validated with users in a diary study.
Exploratory research
We sought to understand what exactly developers found valuable about API keys. We had a strong suspicion that they were much easier to use than OAuth apps, and wanted to dig into that further. I planned and conducted a series of interviews with existing API key developers which focused on these questions and presented an early concept for private apps.
Key findings and design direction
This initial research led to several key insights about the design direction for private apps. We confirmed that a huge benefit of API keys was in their ease of use and speed of getting started, without the need for a developer to set up and maintain an OAuth authentication service.
So my primary design goal for private apps became not only to eliminate security vulnerabilities by replacing API keys with a more robust authentication model (OAuth), but also to keep them just as easy to create and use as API keys.
App creation and management designs
Through multiple design iterations, I streamlined the onboarding flow, reducing friction while guiding developers through app creation and scope selection. The final design allowed developers to create a private app in seconds, mirroring the simplicity of API keys but with vastly improved security and control.
Validation research: Diary study
To validate the Private Apps experience over time, I conducted a diary study with internal and external developers, asking them to use the new system and log their experience over a 2-week session. Participants were asked to highlight pain points, confusion, and areas of friction in their workflows. This longitudinal approach was meant to provide deeper insights into challenges like scope usability, token management, and API onboarding.
Impact and future direction
Overall the private apps project was a significant success. Our strategy of incremental beta releases, listening closely to developer feedback, along with the diary study I conducted, helped to confirm that our streamlined app creation process successfully maintained the ease of API keys while significantly improving security.
As of early 2023, all API keys have been sunset and nearly 7,000 active private apps have been created. Private apps continue to play a critical role in HubSpot's overall app ecosystem strategy for both customers and partners.