Changes to how authorization works?


I’m getting a 403 Unauthorized Access error (cannot access an unscoped endpoint) when attempting to get data back from several endpoints. I’m still able to get data back as normal for other endpoints though (originally I was able to get data back from all endpoints). One endpoint I can’t get data back for is the blog authors endpoint. One endpoint I can get data back from is the Layouts endpoint. Any idea what could be causing this? I never seen “unscoped endpoints” mentioned before. Is it related to the recent changes to OAuth?


Hi @Adam

If you’re using OAuth2, you’ll need to make sure you’re requesting the content scope, but any token that can access the blog authors endpoints would also be able to access the layouts endpoints (since they’re both included in the content scope).

Are you logging the message of that 403 response? If the scope of the token is the issue, you should be seeing an error message saying that the token doesn’t have the proper permissions.

Otherwise, if you’re getting a different error, can you message me directly with the full URL and access token you’re seeing this with?


Hi @dadams,

It was an issue with scoping. Before I had just set my scope to ‘offline’ and everything worked. Is that no longer an option?

I also found that I was having some trouble granting all the scope permissions in my development sandbox (I got a “contact my administrator” message for automation). What’s the easiest way to grant all scopes?



Hi @dadams,

Can I grant access to a “global” content scope, or does access need to be granted on a scope-by-scope basis? Previously I could just set scope=offline to get access to everything. Does that no longer work in Oauth2?



There is no global scope that would cover all access, so you’d need to include each specific scope you need in the authorization URL. You can include multiple scopes, and it is possible to include all of the scopes, though obviously we’d recommend only including scopes that your app will actually be using.

If you’re specifically looking at content, the single content scope should cover all of the content (COS) APIs, from the Blog API to templates and URL mappings.


Hi @dadams,

Thanks for the info. When I tried to grant all 5 scopes to my account I got the following message:

Uh oh!

You do not have the correct role to grant these permissions. Please contact your administrator.

I noticed that on the sandbox I’m using my account is listed as an Account Administrator and a Sales Administrator, but not a Developers administrator as on another one of my other sandboxes. How can I change my account settings so that I can grant all scope privileges? I’m the administrator of the account and should have full control.



Can you send me the Hub ID you’re trying to authorize? Certain portal types would not have access to all of the tools, so they wouldn’t be able to approve the scopes for those tools (so a CRM-only portal wouldn’t be able to authorize the automation scope since it doesn’t include the workflows tool).


Hi @dadams,

I’m trying to authorize 2466326. Is there a way for my application to determine which type of account a user’s credentials are associated with? My application attempts to pull as much data as possible from a given user’s account so it can be analyzed in a program like Tableau, so I need to request access to all the scopes that exist for a user’s account.


Hi @dadams,

Do you have any suggestions for how to request “all existing scopes” for a given portal type? Now that “offline” can’t be used to grant complete coverage I’m really scratching my head as to how I can grant all the privileges my app needs.



Hi @Adam

That Hub ID is for a Sales/CRM only portal, so it wouldn’t have access to many of the scopes, which is why you’d see an error. The only scopes supported for CRM portals would be contacts and timeline.

Can you tell me more about the data that you try to pull from HubSpot? Are you currently supporting CRM only portals with your app?


Hi @dadams,

We’re trying to pull as much data from as many endpoints as possible from a given HubSpot portal. So for a user with access to a Sales/CRM-only portal, we’d want to pull data from all the endpoints associated with the contacts and timeline scopes. For a user with access to a “full” HubSpot portal, we’d want to pull data from all five scopes.

Is there a way to identify they type of portal associated with a set of user credentials so I know which scopes to request access for? Or another workaround you can think of?


Any ideas? They’d really be appreciated!


This is something we’re taking a look at, as there isn’t a good way to do this right now. Users will only be able to authorize scopes that the portal has, so you can’t request all scopes for a CRM only portal (which is why you’d see the error about roles), but it’s not currently possible to tell if a portal is CRM only before sending a user to the authorization URL. At the moment you’d need two different authorize URLs, and you’d need to ask the user what type of portal they have before linking them to authorize the connection. We’re going to take another look at this process and see if we can improve that experience.


Hi @dadams,

Thanks for the information. Can you tell me which endpoints are associated with which scopes? If I’m dealing with a CRM-only account I’d like to know which endpoints I can get data from.

Also, can you confirm for me that there are only two types of HubSpot portal? There’s the CRM-only portal and the “full” HubSpot portal with access to everything (i.e. all scopes), right?


There’s HubSpot Marketing, HubSpot CRM, and HubSpot Sales, right? Can you tell me which scopes are associated with each account type?


At the moment, CRM and Sales portals are effectively the same as far as scopes go, and they’ll only be able to get the contacts and timeline scopes. Portals with a Marketing subscription would have access to any of the scopes. This may change in the future so we’re still going to take another look at the oauth process.


Hi @dadams,

The development portal we’re using (2318521) is a Sales portal. With the changes to OAuth, this means we can only access a small portion of the HubSpot endpoints which makes testing our app difficult. Is is possible to upgrade our development portal to a marketing account, or somehow change its permissions so that we can test our app properly?


@Adam was that portal created as a test portal from your developer account?


Hey @dadams,

Yes, it was, but it was created before the switch over to the new scope system. I’ve enabled the 30-day Marketing trial and once again have access to all the endpoints. Hopefully, I’ll have everything tested and released before the 30 days expires!


Hi @dadams,

I’ve upgraded my portal to a full account using the 30-day free trial and am able to successfully request access to all five scopes. I’m now able to access most of the endpoints, but I’m still getting the permissions error when I try to access any of the Calendar endpoints:

Are the calendar endpoints “unscoped”? If so, how can I request permission for such an endpoint?

UPDATE: After some more exploration it seems I don’t have access to any endpoints in the Calendar API, COS Domains API, and the Keywords API.