Workflow Access Actions
      Back to home
      1. Help Center
      2. HubSpot Micro Apps
      3. Workflow Access Actions

      Different ways to send files securely outside of HubSpot

      When sharing a file with a client, you want to ensure that only the intended recipient can access it. Here are three ways to securely send a file outside of HubSpot while ensuring unauthorised users cannot find it.

      1. Use a UUID in the Folder Name

      One simple way to create a secure file link is by using a Universally Unique Identifier (UUID) in the folder name. This ensures that the URL contains a randomized string, making it nearly impossible to guess.

      Steps:

      1. Generate a UUID – You can use an online UUID generator or programmatically generate one but we recommend using the 'Generate UUID' action within the Workflow Generate Code Actions App created by us!

      2. Create a folder in your file storage system (e.g., Google Drive, AWS S3, or HubSpot’s file manager).

      3. Name the folder using the UUID (e.g., example.com/files/9f8a1b2c-3d4e-5f6g-7h8i9j0k/filename.pdf).

      4. Share the file link with your client.

      This method ensures the link is unique and difficult to discover without direct access.

      2. Use the HubSpot API to Generate a Signed URL

      A more advanced and secure way to share private files is by using the HubSpot API to generate a signed URL. This method allows temporary access to a file stored in HubSpot, even if the file is private. You can decide on how long the link is accesible, could be a couple seconds or minutes

      How It Works:

      • Private files in HubSpot require specific scopes (e.g., files.ui_hidden.read or files)  to be accessed.

      • The signed URL allows you to generate a time-limited link that lets a user download the file without needing HubSpot access however if any one has this link then they can access and download it too. 

      Steps:

      1. Upload the file to HubSpot’s file manager and ensure it is private.

      2. Use the Files API to retrieve the File ID.

      3. Generate a signed URL using the HubSpot API.

        • The API request will return a temporary link that allows the recipient to download the file.

      4. Share the signed URL with your client.

      Note: If someone has the signed URL, they can access the file even if they aren’t in HubSpot, until the link expires.

       

      3. Send the PDF as an Attachment Using Mailgun

      Another secure option is sending the file as an email attachment via Mailgun. This keeps the file out of public URLs and delivers it directly to the recipient’s inbox.

      Steps:

      1. Upload the file to your Mailgun environment (optional, if hosting attachments separately).

      2. Use Mailgun’s API to send an email with the file attached.

      3. Ensure the email is sent only to the intended recipient.

      4. Use Mailgun’s logs and tracking features to confirm delivery.

      This method is effective for ensuring the recipient gets the file directly without needing a shared link.

       

      Each of these methods provides a way to securely share files outside of HubSpot. If you need a simple method, using a UUID in the URL can work. For more security, HubSpot’s signed URLs provide controlled access, and Mailgun attachments ensure direct delivery. Choose the approach that best fits your security and usability needs!

       

      • Public: the file URL will be publicly accessible to anyone who has or guesses the URL web address. Search engines will be able to index the file URL.
      • Public - noindex: the file URL will be publicly accessible to anyone who has or guesses the URL web address. Search engines are instructed not to index the file URL.
      • Private: the file URL will be private and require a URL to access. Search engines will not be able to index the file URL. After setting the file visibility to Private, choose from the following File URL options. 

       

      UUID + Signed URL 
      Store the file in a HubSpot private folder named with a UUID generated from the 'Generate UUID' action within the Generate Code Actions App.  Use the HubSpot API to generate a signed URL that grants time-limited access. This ensures the file is hidden within HubSpot’s system and only accessible through the secure signed URL


      FAQs

      How long does a HubSpot signed URL remain valid?
      Signed URLs are typically time-limited, but the expiration period depends on the configuration in HubSpot’s API. Always check the API response for expiration details.


      Can someone access a HubSpot private file if they have the signed URL?
      Yes, anyone with the signed URL can access the file until the link expires. However, the URL is not publicly discoverable.


      How do I revoke access to a HubSpot signed URL?
      Once a signed URL is generated, it remains valid until expiration. To prevent access sooner, consider regenerating the file ID or replacing the file with restricted permissions

      Is sending a file through Mailgun safer than using a link?
      Mailgun ensures the file is sent only to the intended recipient’s email. However, if the recipient’s email is compromised, the file could still be accessed by an unintended party

      Are there any size limits for files sent via Mailgun?
      Yes, Mailgun has attachment size limits (typically 25MB per message). If your file exceeds this limit, consider using a secure file-sharing service and sending a link instead