AxioRankDocs
Integrations

HubSpot

Install AxioRank from the HubSpot Marketplace to govern the AI agents that reach your CRM through HubSpot's remote MCP server. A CRM card shows that protection on every contact, company, and deal.

HubSpot's remote MCP server gives AI agents read and write access to your CRM: contacts, companies, deals, tickets, and activities. That is exactly the blast radius AxioRank governs. The AxioRank for HubSpot app lets a HubSpot admin install AxioRank with one click, so every AI-agent action that reaches your CRM is risk-scored, policy-gated, and audited, and so that protection is visible right on your records.

Governs your agents, does not write your CRM

v1 requests read-only CRM scopes, used only to label the card with the record you are viewing. AxioRank sits in front of the agents reaching HubSpot and decides what they may do. It does not write to your records.

Install

  1. In HubSpot, find AxioRank in the Marketplace and click Install, or start from AxioRank under Settings, Integrations, HubSpot and click Connect HubSpot.
  2. Grant consent. HubSpot returns you to AxioRank, which binds your portal to your AxioRank workspace and stores an encrypted OAuth refresh token.
  3. Open Settings, Integrations, HubSpot in AxioRank to confirm the connection and see the connected portal.

A HubSpot portal maps to exactly one AxioRank workspace. If you try to connect a portal that is already linked to a different workspace, AxioRank rejects it rather than moving it silently.

The Agent Access card

Once connected, an Agent Access (AxioRank) card appears on your contact, company, and deal records. It calls AxioRank from inside HubSpot with hubspot.fetch() and shows that AxioRank is governing AI-agent access to that record, with links into the AxioRank console.

How it authenticates

  • Install: standard OAuth 2.0 (HubSpot's 2026-03 token API). The short-lived access token is refreshed on demand from the stored refresh token and is never persisted.
  • Card requests: HubSpot signs every hubspot.fetch() call with the app client secret (an X-HubSpot-Signature-v3 header). AxioRank verifies that signature and maps the signed portal id to a workspace before returning any data, so the card endpoint cannot be called by anyone but HubSpot.

Scopes and data

The app requests read-only CRM scopes (crm.objects.contacts.read, crm.objects.companies.read, crm.objects.deals.read) plus the base oauth scope. The OAuth refresh token is encrypted at rest with AES-256-GCM, bound to your workspace, exactly like AxioRank's other stored integration secrets.

Disconnecting

Click Disconnect in AxioRank to drop the stored token immediately. To fully revoke access, also uninstall the AxioRank app from your HubSpot account settings. HubSpot notifies AxioRank of the uninstall, which clears the install as well.

For AxioRank operators

The one-click flow needs the app's OAuth credentials on the deployment (HUBSPOT_CLIENT_ID, HUBSPOT_CLIENT_SECRET, HUBSPOT_APP_ID) and the discovery secret key (AXR_DISCOVERY_CRED_KEY or AXR_PROXY_CRED_KEY) to encrypt the token. Without the credentials, the Connect button is hidden. The HubSpot app project lives in packages/hubspot-app and is deployed with the hs CLI.

On this page