Hubspot OAuth integration requires admin approval but user is already an admin


Hubspot OAuth integration requires admin approval but user is already an admin


Hi @Angelo_H,

Thanks for including a video; that example was really helpful! That error can appear even if you're an admin; with the exception of the Super Admin role, it's still possible for an admin to be missing a particular role/permission (e.g. if you didn't have full view/edit access to all contacts). If it's reasonable for you to have access to everything, I'd recommend making yourself a Super Admin, as this will ensure that you have full access to all roles. Otherwise, I'll need to take a look at the scopes that the integration is requesting and compare them to the various roles that your user account has access to.


We are requesting "contacts" scope. So user has to have "contacts" access right?

OAuth inconsistency in scope permissions for users

I have similar questions and it's a generic error message. Hoping to get some answers on this or at least some better error reporting.


Hi @Angelo_H,

Short answer: Yes. Long answer: The user needs full access to every permission related to the contacts scope. This includes full read/write access to all contacts, regardless of ownership. It also includes access to the Lists tool, since that technically falls under the contacts scope. The surest way to make sure an integration will install successfully is to have a super admin install it.

@Tim_Joyce_Belch I reached out separately on your post.


@Derek_Gervais But I used super admin to integrate and it works. But how other team members can also integrate Hubspot OAuth to our app? We are using the free version though. I am not sure if it matters.


@Derek_Gervais If I make every team member super admin on Hubspot, then everyone can connect to our app through Hubspot OAuth. The only scope we asked is Contacts. But most of our users aren’t going to want to make non managers super admin. What should we do?


Hi @Angelo_H,

There's a fundamental misunderstanding here with regard to how the auth process works. Only a single user needs to authorize an integration for a given portal. I'm going to link to my explanation on another topic here:


@Derek_Gervais So in our app, only one team user (Hubspot team admin) needs to authorize Hubspot Oauth to our app. We just need to use the same auth token and refresh token for every team user when they want to sync contact to Hubspot. Is that right?

How would the refresh token work though? Because every team user is using the same auth token and refresh token, there will be several refresh requests trying to refresh the token at the same time when an auth token is about to expire. Do you expire refresh token? If not, I think it might be okay.