Mixed results having users log in with the 'contacts' scope


We have two portals that have users that can't log into our app with the 'contacts' scope even though they have permissions to every option we can see in the settings. In both cases the Super Admin is able to log in. Many of our other customers don't have this issue. We would appreciate help in debugging these two portals so we can better understand the conditions that cause this to happen.

Customer: Hub ID 4329259

Our dev instance: Hub ID 4743318

User facing permission issue while authorising app

Hi @Charlie_Moad, when you say "log into" your app, do you mean installing the app to their Account? If so, even if they have access to the tools in question, they must also be an Admin. Normally we suggest Super Admins to install apps since they wouldn't run into any of these user-specific errors. This response by Derek goes over OAuth in depth here which I would highly recommend reading:


Thanks @Connor_Barley. Our integration is API only and uses OAuth. Our clients have never had to "install" our app. They simply log into our web application using their HubSpot credentials via OAuth and we can call the API on their behalf. For the most part all users have been able to log in, but we are seeing these two affected accounts where only the super admin can log in. We reviewed the permissions for the users who can't log in and they have all settings related to Contacts enabled. This inconsistency across clients is what is confusing.

I've read the link you provided. I'm still a little confused for a couple of reasons. 1) We have some clients with users who can log in even though they are not admins. 2) If an admin was required, how could any non-admin user log into HubSpot via OAuth? 3) Everyone is an admin in our dev portal, and only I (super admin) can log in.


Hi @Charlie_Moad, I think you may be thinking of HubSpot's OAuth 2.0 flow in a way that's not indicative of the way that it's intended to function. What you describe sounds to me like an SSO type functionality sort of like when you sign into another platform with Google or with Facebook. HubSpot's OAuth flow is not a sign in flow -- it's a process for installing an app to a HubSpot account. I'd liken the OAuth flow to installing a game from the the App store on your iPhone. You must have an iPhone or Android, must have access to the app store, and must have a credit card to pay for the game, but once the game is installed, any person who is using your phone can play it.

The way that HubSpot OAuth should work is that you have an application in your Developer Account that requests access to a few specific scopes. The scopes being requested must be tools that the Account that's installing the application has access to (example: if my app in its settings here: https://app.hubspot.com/developer/4584217/application/170185 requests access to Content, but my main production account does not have access to landing pages or any type of content tools, the app won't be able to be installed). Further, the user who installs the application must have access to those tools as well. We normally suggest Super Admins to install the application, but there are situations in which non-Super Admins can install apps.

When the user goes to install an app and gets directed to this page:

the application is asking for which account they should generate Access and Refresh Tokens for. When the user confirms the scopes the app is requesting, HubSpot generates those tokens specific to the user, but the app can then be used by all users who have access to those scopes within the account. So the application is really an account-wide thing.

By having multiple users from the same account use your app and "sign in", you're technically just having them re-auth your app into the same portal, generating different refresh and access tokens each time.

If you need some more info on how OAuth in HubSpot works, I'd highly recommend reading this resource: https://medium.com/@darutk/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85 and this topic:
OAuth contact permission flow


Hi @Connor_Barley. Thanks for the clarification on the intended use of the OAuth API. One thing we liked about having each user authenticate individually is that any action performed against the API are traceable back to the user who actually performed them, not the super admin who connected the app. I would be curious if you have any thoughts about how to handle this. No matter, I do appreciate you taking the time to support us.