HubSpot MCP | OAuth HubSpot connector for AI agents

CALL ANY TOOL

Manage contacts, deals, companies, tickets, and engagements. Same toolkit, every framework, no auth plumbing to maintain.

hubspot_contacts_search

Search contacts

Full-text search across contacts with optional property filters and pagination.

Parameters

Name

Type

Required

Description

query

string

Optional

Search query string

filters

array

Optional

Array of filter objects with propertyName, operator, value

limit

integer

Optional

Max results (default 10)

hubspot_contact_create

Create contact

hubspot_deals_search

Search deals

hubspot_deal_create

Create deal

hubspot_companies_search

Search companies

hubspot_note_create

Create note

hubspot_task_create

Create task

Build your Agent

Drop the toolkit in, point it at the user, and your agent can search HubSpot contacts, deals, and companies from the first run.

import { ScalekitClient } from "@scalekit-sdk/node";
import { DynamicStructuredTool } from "@langchain/core/tools";
import { createReactAgent } from "@langchain/langgraph/prebuilt";
import { z } from "zod";

const sk = new ScalekitClient(envUrl, clientId, clientSecret);

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["hubspot"], toolNames: ["hubspot_contacts_search", "hubspot_deals_search", "hubspot_contact_create"] },
  pageSize: 100,
});

const lcTools = tools.map((t) => new DynamicStructuredTool({
  name: t.tool.definition.name,
  description: t.tool.definition.description,
  schema: z.object({}).passthrough(),
  func: async (args) => {
    const { data } = await sk.tools.executeTool({
      toolName: t.tool.definition.name,
      identifier: "user_123",
      params: args,
    });
    return JSON.stringify(data);
  },
}));

const agent = createReactAgent({ llm, tools: lcTools });

import { ScalekitClient } from "@scalekit-sdk/node";
import OpenAI from "openai";

const sk = new ScalekitClient(envUrl, clientId, clientSecret);
const openai = new OpenAI();

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["hubspot"], toolNames: ["hubspot_contacts_search", "hubspot_deals_search", "hubspot_contact_create"] },
  pageSize: 100,
});

const llmTools = tools.map((t) => ({
  type: "function",
  function: {
    name: t.tool.definition.name,
    description: t.tool.definition.description,
    parameters: t.tool.definition.input_schema,
  },
}));

const resp = await openai.responses.create({
  model: "gpt-4o", input: prompt, tools: llmTools,
});

import { ScalekitClient } from "@scalekit-sdk/node";
import Anthropic from "@anthropic-ai/sdk";

const sk = new ScalekitClient(envUrl, clientId, clientSecret);
const anthropic = new Anthropic();

const { tools } = await sk.tools.listScopedTools("user_123", {
  filter: { connectionNames: ["hubspot"], toolNames: ["hubspot_contacts_search", "hubspot_deals_search", "hubspot_contact_create"] },
  pageSize: 100,
});

const llmTools = tools.map((t) => ({
  name: t.tool.definition.name,
  description: t.tool.definition.description,
  input_schema: t.tool.definition.input_schema,
}));

const msg = await anthropic.messages.create({
  model: "claude-sonnet-4-6", max_tokens: 1024,
  tools: llmTools,
  messages: [{ role: "user", content: prompt }],
});

import { Agent } from "@google/adk/agents";
import {
  MCPToolset, StreamableHTTPConnectionParams,
} from "@google/adk/tools/mcp";

const toolset = new MCPToolset({
  connectionParams: new StreamableHTTPConnectionParams({
    url: "https://mcp.scalekit.com/hubspot",
    headers: { Authorization: `Bearer ${userScopedToken}` },
  }),
});

const agent = new Agent({
  name: "agent", model: "gemini-2.0-flash",
  tools: await toolset.getTools(),
});

Try these prompts

Paste any prompt into your agent to start pulling CRM intelligence from HubSpot.

Search & recall

Copy the prompt

Copied

Find all contacts at [company name].

Copy the prompt

Copied

Which deals are in the Proposal stage right now?

Copy the prompt

Copied

Search for [person name] in HubSpot.

Copy the prompt

Copied

List all companies in the [industry] industry.

Action & updates

Copy the prompt

Copied

Create a new contact for [name] at [company] with email [email].

Copy the prompt

Copied

Update the deal stage for [deal name] to Closed Won.

Copy the prompt

Copied

Add a note to [contact name]'s record: [note text].

Copy the prompt

Copied

Create a task: follow up with [company] by [date].

Pipeline & reporting

Copy the prompt

Copied

What deals are closing this month and who owns them?

Copy the prompt

Copied

List all contacts added in the last 7 days.

Copy the prompt

Copied

Show me all open deals over $50K.

Copy the prompt

Copied

What is the total pipeline value by owner?

SEE HOW AUTH WORKS

Users authorize HubSpot once. Their portal credentials stay vaulted, every call is checked, and every action is logged.

1

Authorize

Your user connects

HubSpot

once. We tie it to their identity and the meetings they approved — no shared bot account, no org-wide access

Who:

user ‘A’

when:

Once per user

access:

Limited to user

2

Store

Their

HubSpot

token lives in a vault scoped to them. User A's meetings are never reachable by an agent acting for user B, even on the same connection

vault:

encrypted

scope:

per-user

tokens:

auto-refreshed

3

Resolve

When your agent calls a

HubSpot

tool, we fetch the right token server-side. It never touches your agent, never appears in the LLM context, never shows up in your logs

speed:

~40ms

check:

before every call

seen by:

nobody

4

Audit

Every

HubSpot

tool call is logged — who triggered it, which meeting was fetched, what came back. 90 days of history, tied to the user who authorized it

history:

90 days

export:

SIEM-ready

logged:

every call

Test other agents

Same per-user auth pattern across other revenue ops agents and MCP connectors. Working code, live demos, fork what fits.

GTM

HubSpot to Slack updates agent

Watch HubSpot deal stage changes and post structured updates to the right Slack channel. Reps stop checking the CRM all day.

HubSpot

Slack

View agent

GTM

CRM AI agent

Log calls, update opportunity stages, and surface stalled deals across HubSpot or Salesforce. No manual data entry.

HubSpot

Salesforce

View agent

Why Scalekit

Secure your agent's access. Connectors ship in minutes

Other connector libraries treat auth as a demo afterthought. Scalekit starts with user identity, scope enforcement, and audit.

01.

Deal updates break rep attribution

A shared HubSpot token looks fine in a demo. In production, every deal update, task creation, and contact enrichment logs as the integration. Pipeline attribution breaks. Per-rep quota tracking breaks. Scalekit resolves the rep's own credential at call time, so HubSpot sees the right owner.

// shared bot token
token = "sk_hubspot_shared_xxx"
audit → bot_service_account
rep_filter → broken

// scalekit · per-user
token = resolve(user_id)
audit → user_abc
scope → enforced ✓

02.

Authentication is not authorization

03.

Multi-tenancy is architectural

04.

HubSpot today. Salesforce, Attio, Apollo tomorrow.

“Our agents act across Salesforce, Gong, Google Drive, and more, on behalf of every customer. Scalekit behind the scenes meant we can keep adding tools without ever rebuilding how credentials or tool calling work.”

Venu Madhav Kattagoni

Head of Engineering / Von

FAQs

Frequently Asked Questions

Does the agent access HubSpot as the user or as a shared key?

As the user. Each workspace member authorizes once and Scalekit resolves their credential at request time. Audit logs attribute every action to that user, not a shared service account.

Where is the HubSpot oauth 2.0 stored?

In Scalekit's managed AES-256 token vault, namespaced per tenant. Refresh is automatic. Revocation is a single dashboard action. Tokens never appear in prompts, logs, or LLM context.

Can I limit what the agent is allowed to do in HubSpot?

Yes. Pass a tool name filter to listScopedTools so the revenue ops agent only sees the subset you authorize. Pre-API-call scope checks block out-of-policy actions before the request reaches HubSpot.

What happens when a user revokes HubSpot access?

The connection is invalidated on the next tool call. Subsequent requests for that user fail closed with a clear error. Other users in the tenant remain unaffected. The event is logged for audit.

Can the agent work across multiple HubSpot portals?

Yes. Each portal is its own connected account. Per-user, per-portal namespacing in the vault. Cross-portal access is denied unless the same user authorized both.

HubSpot

Tools your revenue ops agent reaches for on HubSpot, scoped per user.