Customers may need to remove existing Integration when updating to OAuth 2.0



We are updating our tool to use OAuth 2.0 and have been seeing this error in certain situations:

“You do not have the correct role to grant these permissions. Please contact your administrator.”

This happens when we attempt to connect to our Sales portal using our existing HubSpot App. If we use a completely new app, it connects without issue. We were able to resolve the problem in our tests by removing our existing app from the list of Integrations on the sales site, and then authorizing it again. However, this concerns us that our customers will also have to manually take this step of logging into HubSpot and directly removing the existing integration.

Formerly in OAuth 1.0, we requested these scopes from all portals: events-rw settings-rw contacts-rw offline. In OAuth 2.0, we request only “contacts” with the scope parameter, and with optional_scopes we request content, social, automation, and timeline. I suspect what is happening is when those old scopes are detected by the OAuth 2.0 flow, it is somehow requesting content as a required scope due to the former inclusion of events-rw. Since the Sales site doesn’t have access to that sort of data, it results in the same error as if we had included “content” as a required scope.

Is this behavior by design, or perhaps some oversight that was not tested?


Hi @Casey_Thompson

You should not need to remove the app from your portal before being able to authorize the app with OAuth 2.0, and any scopes you used when authorizing an app with the old OAuth system wouldn’t have any effect on how the OAuth2 authorization would work.

Can you message me with the Hub IDs and the authorize URLs you were seeing this with?