Skip to main content
Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
The HubSpot MCP server lets you govern access to HubSpot — contacts, companies, deals, and other CRM records — as tools your AI clients can call through C1. HubSpot authenticates with a private app access token. A single token authenticates everyone, so all tool calls reach HubSpot as one shared identity. Create the token from a dedicated service-account user so activity is attributable to C1 rather than a person.

How C1 connects to HubSpot

C1 hosts the HubSpot MCP server, so your users’ AI clients only ever see MCP tools — they never call HubSpot directly. When an AI client calls one of these tools, C1 makes the matching request to the HubSpot API using the credentials you configure here, then returns the result to the AI client. The credentials you set up below are what C1 uses to call HubSpot on your users’ behalf.

Before you begin

  • AI access management must be enabled for your tenant. See Enable AI access management.
  • A HubSpot account with permission to create and manage private apps, which requires super admin access.
If you don’t see HubSpot in your MCP server catalog, contact the C1 support team to enable it for your tenant.

Create a HubSpot private app token

Create a private app in HubSpot to generate the access token C1 uses to call HubSpot.
1
In HubSpot, create a private app and select Create a private app. See HubSpot’s private apps docs for the navigation path and required super admin access.
2
On the Basic info tab, give the app a recognizable name such as C1.
3
On the Scopes tab, grant only the scopes you need, such as read access to the CRM objects you plan to govern.
4
Select Create app, then copy the access token. Treat the token like a password.

How HubSpot credentials are shared

Every user’s tool calls use the one private app token you provided, so HubSpot sees a single shared identity. C1 still attributes each call to the individual user in the AI tool usage audit log. For a shared production setup, create the token from a dedicated service-account user so activity is attributable to C1 rather than a person. For how shared and per-user credentials work across MCP servers, see Configure authentication.

Register the HubSpot MCP server in C1

With your token ready, register the server and provide your credentials.
1
Follow Register an MCP server and select HubSpot from the catalog.
2
When you configure authentication, choose Bearer token and paste your private app access token.
3
Save your changes. C1 starts a sync that discovers the tools the HubSpot server exposes.

Discover and govern tools

After you register the server, C1 runs tool discovery against HubSpot. Discovered tools appear on the server’s Tools tab. Each tool starts as either Pending review or automatically Approved, depending on the option chosen when the server was set up or your tenant’s default tool settings in Settings > AI Connections. See Require tool approval and Default tool classification. Before anyone can call a HubSpot tool, it must be approved, added to a toolset, and bound to an access profile. Continue to Govern tools and toolsets to set this up.
Tool discovery runs even if your credentials are incorrect, so seeing discovered tools doesn’t confirm that authentication is working. You confirm your HubSpot credentials when an approved user successfully calls a HubSpot tool from their AI client.

Manage your HubSpot credentials

  • Rotate the access token by rotating it in the private app’s settings in HubSpot, then update the token on the server’s authentication settings in C1.
  • Adjust access by editing the private app’s scopes in HubSpot.