STRATCONN-6823 - [Hubspot] - Oauth upgrade

[joe-ayoub-segment]

OPEN question: Does destination need to migrate to api.hubspot.com or can it stay on api.hubapi.com?

Upgrades the HubSpot destination's OAuth token refresh to support the new 2026-03 endpoint (/oauth/2026-03/token), gated behind the actions-hubspot-oauth-v2 feature flag.

The new HubSpot OAuth API is functionally identical to v1 — same POST body params, same response shape — but uses a versioned URL path. Our implementation already sent credentials in the request body (not query params), so the upgrade is a URL swap with no behavioral change.

A small core change was required to thread features into the refreshAccessToken handler, which previously only received { settings, auth }. This is backward-compatible — features is optional on the interface.

Changes

• packages/core/src/destination-kit/index.ts — Added optional features to RefreshAuthSettings interface and forwarded it
  through the refresh flow
• packages/destination-actions/src/destinations/hubspot/versioning-info.ts — Added HUBSPOT_OAUTH_API_VERSION_NEXT_FLAGON = '2026-03'
• packages/destination-actions/src/destinations/hubspot/index.ts — Token refresh selects endpoint based on actions-hubspot-oauth-v2 feature flag
• packages/destination-actions/src/destinations/hubspot/tests/index.test.ts — Added refresh token tests

Testing

Staging tests

1. Flag off (default): Send an event through HubSpot destination with an expired access token. Verify the token refresh hits /oauth/v1/token and the event delivers successfully.
2. Flag on: Enable actions-hubspot-oauth-v2 for the workspace. Send an event with an expired access token. Verify the refresh hits /oauth/2026-03/token and the event delivers successfully.

New unit tests

• should use v1 endpoint when feature flag is not set — No features passed, refreshes via /oauth/v1/token
• should use v1 endpoint when feature flag is false — Flag explicitly false, refreshes via /oauth/v1/token
• should use 2026-03 endpoint when feature flag is enabled — Flag true, refreshes via /oauth/2026-03/token

Security Review

Please ensure sensitive data is properly protected in your integration.

• Reviewed all field definitions for sensitive data (API keys, tokens, passwords, client secrets) and confirmed they use type: 'password'

New Destination Checklist

• Extracted all action API versions to verioning-info.ts file. example

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.