Forms scope doesn't work without contacts scope



Seeing something strange while working with OAuth and the forms API.

I have a simple application that only requires access to the forms here’s my form to request access:

<form action="" method="GET" id="authForm">
            <input type="hidden" name="client_id" value="b6dc1f3c-2c29-4411-913a-3bfa646ecab6">
            <input type="hidden" name="scope" value="forms">
            <input type="hidden" name="redirect_uri" value="">
            <button type="submit" class="btn btn--default">Connect to Portal</button>

When doing this - the request goes through and says the application wants access to read/edit forms and general contact information.

I have an ajax endpoint that makes a request to the /forms/v2/forms endpoint but it fails when I don’t have the contacts scope applied to my authentication request via <input type="hidden" name="scope" value="contacts forms">

"status": "error",
"message": "This oauth-token ([token]) does not have proper scope group permissions! (requires all of ids [1])",
"correlationId": "...",
"requestId": "..."

Can you shed some light here? The authentication documentation doesn’t say that the contacts scope is required for the forms scope to work.

Telling a user we’re accessing contact data when we aren’t will look very fishy for a free tool.

OAuth 2 'forms' Scope Permission Problem

Hi @derekcavaliero,

You’re correct that most of the forms API also requires the contacts scope. Generally, integrations involving forms request the contacts scope in addition to forms in order to have access to contact properties. This is primarily a symptom of the fact forms and contacts are so closely associated. contacts should be requested alongside forms, and I’ll work on updating the scope documentation to include this requirement.


@Derek_Gervais thanks for the reply.

I figured it was something of that nature. Ideally the read endpoints for the forms API not related to the contacts would only require the forms scope and not the contacts.

My application only uses the /forms/v2/forms and /forms/v2/fields endpoints. This isn’t a deal breaker - but it might confuse a user when authenticating in the context of what our application is doing.


Hi @derekcavaliero,

That’s a good point, and I’d be happy to pass this use case along to product. The team is thinking about the scoping of certain APIs, so this is welcome feedback.