ESHOPMANESHOPMAN Logo
Our Blog

HubSpot Client Secret Rotation: What to Do When the 'Rotate' Button Isn't There

HubSpot Client Secret Rotation: What to Do When the 'Rotate' Button Isn't There

Hey there, ESHOPMAN community! As experts living and breathing HubSpot and e-commerce, we know that keeping your integrations secure is paramount. One critical piece of that puzzle is managing your API client secrets. These are like the keys to your HubSpot kingdom for external applications, and just like physical keys, they sometimes need to be changed or 'rotated' for security reasons. But what happens when the option to rotate them seems to be missing?

We recently stumbled upon a fascinating discussion in the HubSpot Community that perfectly illustrates a common point of confusion. It's a great example of real-world challenges HubSpot users face, especially when dealing with different generations of HubSpot applications and interfaces.

The Case of the Missing 'Rotate' Button

The original poster in the community thread had a very legitimate concern: they suspected their client secret might have been exposed and needed to rotate it within their 'Legacy App'. The problem? They only saw 'Show/Copy' buttons next to the field, with no apparent option to rotate the secret.

A helpful community member quickly chimed in, sharing a screenshot that clearly showed a 'Rotate' button right there, suggesting it should be straightforward. They also wisely noted that super admin permissions are typically required for such actions.

karstenkoehler_0-1775640702572.png

However, the plot thickened. The original poster, a super admin themselves, replied with their own screenshot, which indeed showed only 'Show' and 'Copy' options. The 'Rotate' button was conspicuously absent.

Screenshot 2026-04-08 at 11.47.28.png

This led to a bit of back-and-forth, with the first responder questioning whether the application was truly a 'legacy application,' given the user interface. The original poster affirmed they were in the correct 'Legacy app' section, providing another screenshot to confirm their navigation path.

Screenshot 2026-04-08 at 11.54.44.png

The discussion ended with a community moderator stepping in, acknowledging the screenshots and tagging the original responder for further visibility. But for the original poster, the immediate solution remained elusive.

Understanding the Discrepancy: Legacy vs. Modern HubSpot Apps

This thread highlights a common challenge with evolving platforms like HubSpot: different versions and types of applications can have different UIs and functionalities. While the term 'Legacy App' might refer to older custom integrations, the exact interface and options can vary based on when the app was created, its specific type (e.g., private app vs. public app), and potentially even portal settings or regional rollouts.

If you find yourself in a similar situation where the 'Rotate' button for your client secret is missing, even if you have super admin access and believe you're in a 'legacy' setup, here's what you should consider:

Actionable Steps When the 'Rotate' Button is Absent:

  1. Confirm App Type and Settings: Double-check if your application is truly a custom integration or if it's a marketplace app with its own authentication flow. For custom integrations, especially older ones, the rotation mechanism might not be as straightforward as a single button.
  2. Re-authentication or Reinstallation: Sometimes, the most effective 'rotation' for an exposed secret in an older, custom integration is to re-authenticate the application or, if feasible, completely reinstall/reconfigure it. This process often generates a new client secret implicitly.
  3. Create a New Application: This is often the most secure and recommended approach if you suspect a secret is compromised and direct rotation isn't available. If it's a private app or a custom integration you control:

    • Create a brand new private app in your HubSpot developer settings.
    • Update your external system/service (your custom CRM, your website builder to sell products, etc.) to use the new Client ID and Client Secret from this new app.
    • Once you've confirmed the new app is working correctly and your integration is stable, you can then deactivate or delete the old, compromised application. This effectively 'rotates' the secret by replacing the entire access mechanism.
  4. Contact HubSpot Support: If you're still stuck, providing screenshots and a detailed explanation to HubSpot Support is your best bet. They can investigate your specific portal and app configuration to provide precise guidance or troubleshoot the missing option.

Best Practices for API Security in HubSpot

Regardless of whether you have a 'Rotate' button or not, robust API security is crucial for anyone using HubSpot, especially for e-commerce operations. Here are some quick tips:

  • Regular Rotation: Even without a direct button, plan to 'rotate' your critical secrets periodically (e.g., every 90-180 days) by creating new apps and deprecating old ones if direct rotation isn't an option.
  • Secure Storage: Never hardcode secrets directly into your codebase. Use environment variables, secure configuration management systems, or dedicated secret management services.
  • Least Privilege: Ensure your integrations only have the minimum necessary scopes (permissions) in HubSpot.
  • Monitor Access: Keep an eye on your HubSpot audit logs for any unusual API activity.

ESHOPMAN Team Comment

This community discussion perfectly illustrates a common pitfall: assuming a universal UI across all HubSpot app types. For critical security actions like client secret rotation, relying on a potentially missing button is a risk. We strongly advocate for the 'new app, then deprecate old' strategy when direct rotation is unclear or unavailable. This approach provides a clean break and ensures your e-commerce integrations remain secure, which is non-negotiable for any business using HubSpot to power their online store.

Staying on top of your HubSpot app security is vital for maintaining the integrity of your data and the smooth operation of your business, especially if your HubSpot portal is deeply integrated with your e-commerce platform. Whether you're using HubSpot as your primary CRM or leveraging it to power your website builder to sell products, keeping your API secrets secure is non-negotiable. Don't let a missing button deter you from protecting your digital assets!

We hope this deep dive into a common HubSpot Community query helps you navigate your own API security challenges. Keep those questions coming, and let's keep building secure, powerful e-commerce experiences with HubSpot!

Share: