HubSpot Private Apps for AEO: Lantern's auth model explained

Why Lantern uses a HubSpot Private App instead of the public marketplace app for AEO pipeline attribution — and the exact scopes your admin approves during install.

Updated 2026-04-20 · HubSpot integration · ~6 min read

What this does

HubSpot offers two integration auth models: Public Apps (marketplace-listed, OAuth2, multi-tenant) and Private Apps (per-portal, scoped access token, single-tenant). Lantern uses Private Apps because the scopes required for AEO pipeline attribution are sensitive enough (write access to Contact and Deal properties, workflow creation) that most security-conscious buyers prefer the per-portal audit trail a Private App provides.

How Lantern fits

On install, Lantern walks the admin through creating a Private App in HubSpot with a pre-defined scope set. The Private App name is 'Lantern AEO Attribution'. The token is stored encrypted in Lantern's vault and never sent to third parties. Revoking the Private App in HubSpot instantly kills Lantern's access (one-click, no support ticket).

Setup preview

Install flow: (1) Log into HubSpot as super admin. (2) Settings > Integrations > Private Apps > Create private app. (3) Name it 'Lantern AEO Attribution'. (4) Scopes tab: check the 9 scopes Lantern specifies (listed below). (5) Create app, copy the access token, paste into Lantern's onboarding wizard. (6) Lantern validates the token and scope set, reports any missing permissions, completes install.

HubSpot Private App scope list (paste during app creation) · text
# HubSpot Private App scopes for Lantern AEO
# Copy these into the Scopes tab during private app creation

# Read scopes (required)
crm.objects.contacts.read
crm.objects.deals.read
crm.objects.companies.read
crm.schemas.contacts.read
crm.schemas.deals.read

# Write scopes (required for attribution writeback)
crm.objects.contacts.write
crm.objects.deals.write
crm.schemas.contacts.write    # create custom properties
crm.schemas.deals.write       # create custom properties

# Automation scope (required for workflow creation)
automation

# Content scope (required for CMS Hub integration, optional)
content

# Tracking scope (required for tracking code injection, optional)
tracking

Where this fits in the bigger picture

This page describes one specific surface inside HubSpot where Lantern's AEO pipeline attribution plugs in. The full integration stitches together across HubSpot Contacts, Deals, Workflows, Lists, Reports, Forms, CMS, and the Marketing/Sales/Service Hub stack. If you're evaluating where to start, the comparison hub has side-by-side comparisons of Lantern against Profound, Scrunch, Peec AI, AthenaHQ, and HubSpot's own AEO product — scored on the dimensions that matter for a CMO buyer (CRM integration depth, reporting quality, prompt-scaling economics).

If you're about to walk this work into a renewal review or budget conversation, the CFO's Guide to AEO Budget Defense has the memo template, the five-slide deck structure, the attribution-math cheat sheet, and the three most-common CFO objections with counter-arguments. It's the long-form companion that translates the technical HubSpot setup on this page into a defensible dollar number for finance.

FAQ

Common questions.

Why not list Lantern on the HubSpot public marketplace?
Marketplace listing requires HubSpot's app review, which is quarterly-batched and adds 60-120 days to ship. Private Apps are immediate. As Lantern's install base grows we'll apply for marketplace listing; for now, Private App install is faster and gives more control.
Is the access token stored securely?
Yes. Tokens are encrypted at rest with per-portal envelope encryption keyed off a customer-specific data encryption key. Tokens are never logged. Only two Lantern services have the ability to decrypt for API calls — the HubSpot sync worker and the attribution rollup service.
Can I rotate the Private App token?
Yes. Rotate in HubSpot (Private App settings > rotate token), paste new token into Lantern settings, old token is immediately deactivated. No downtime. Lantern recommends rotation every 180 days for security hygiene.
What if my security team requires IP allowlisting?
Lantern's HubSpot API calls come from a fixed IP range which we publish for security-review purposes. On Enterprise tier, we support customer-specific dedicated egress IPs for stricter allowlisting requirements.

Lantern ships this as a one-click HubSpot install.

Instead of hand-wiring properties, workflows, and tracking snippets, Lantern installs the full HubSpot integration in under 30 minutes — then ships the monthly AEO pipeline ROI report your CFO signs off on. $99/mo Starter or Enterprise. 14-day free trial.

Start free trial