oAuth help -- creating a callback uri for non-app



Hi there! I want to use the timeline API automate the passing of data to a new contact. This is not really an app, but rather some Javascript I'm going to write that is triggered by a webhook from another app. I understand I need to use a valid access token (and refresh token) to post such data. My problem is that I am not understanding how to use the callback URI to get my initial access token and refresh token, since I'm not really building an "app".

I have given my private "app" in Hubspot proper permissions, and I'm following the guideline set in the API documentation for required parameters in the initial authorization request that returns the auto code, which I then exchange for access token. I am trying to use Postman as my app to authorize, because it has a built-in callback URL for such requests.

I'm concerned that Postman is using the parameter key as "callback_url" or "redirect_url" instead of what Hubspot requires, which is "redirect_uri", but maybe not, since "redirect_uri" is oAuth standard.

Next, I've tried using "https://localhost:8080" as my callback, and I get this error in dev tools:
onOAuth2TokenRequestCallback @ requester.js:475650.

I've tried to leave callback parameter blank (to see if Postman then includes their own), and I get this error: An invalid redirect_uri was provided. Please contact the integrator.

I can't seem to find any good tutorials online for how to create a callback url for an oAuth request. I know I can create it myself on my website using PHP code, for example, but I don't know how. I'm not that gifted of a developer.

What can I do? Thanks a lot!


Hi @Tom_Copeland,

I'm not familiar enough with Postman to really point you in the right direction when it comes to the built-in callback url functionality, but in theory you can just put any URL there if you're just manually generating OAuth tokens. For example, you could do the following:
https://app.hubspot.com/oauth/authorize?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&scope=contacts%20automation &redirect_uri=https://www.example.com/

Where the redirec_uri is literally https://www.example.com/. Once you complete the auth flow, you'll be sent to example.com, with the auth code appended to the URL. Since you're just manually generating the tokens, you can just grab this from your browser's URL bar and use it to get you access/refresh tokens.


Hi! That's great, thanks. Unfortunately, it's still not working for me. I have a developer account, and I am building HB apps to work with my own data. Lots of things I can do with my HAPIkey, but now I want to create timeline events, and I'm having trouble using oAuth for that.

I understand I need to initiate oAuth:

But I'm getting 403 errors (HTTP not configured) when I try to do this using Postman.

So, I figured I would create a cURL request onto a new PHP page on my website server: https://www.800goldlaw.com/hubspot-auth. Now I tried to request the following directly inside my browser:


I'm met with my developer dashboard, so I'm feeling good. But then I choose the app I want to use, and I'm met with this message: "Uh oh. Insufficient scopes were provided. Please contact the integrator."

So then I went into the app and just gave it all scopes and permissions (since I'm the only use using it, I'm not making a public app.)

Tried again, and still got that insufficient scopes error.

Maybe I'm fundamentally missing something. Could you help provide a little guidance?


Hi @Tom_Copeland,

One key piece here is that the checkboxes that appear in your app settings are the scopes that must be provided for an authentication to work. All this does is fail an authentication request if the auth URL is missing any scopes; it's usefully when an app dynamically generates auth URLs, but needs to make sure there are a minimum set of scopes. Here's an example:

  • My app generates an auth URL, but no matter what my app requires contacts and automation.
  • In my app settings, I would check off contacts and automation
  • The following URLs would work based on these settings:
    • https://app.hubspot.com/oauth/authorize/?client_id={{client_id}}&redirect_uri={{redirect_uri}}&scope=contacts%20automation
    • https://app.hubspot.com/oauth/authorize/?client_id={{client_id}}&redirect_uri={{redirect_uri}}&scope=contacts%20automation%20timeline
  • The following would fail with an 'Insufficient scopes provide' error, since it doesn't include all the scopes I checked off in my app settings:
    • https://app.hubspot.com/oauth/authorize/?client_id={{client_id}}&redirect_uri={{redirect_uri}}&scope=contacts

So in your case, you should uncheck any scopes that are not absolutely required for a portal to authorize your app. In fact, if this integration is only for a single portal you don't need to check off any scopes in your app settings.


Got it! Didn't know. Thank you, that's great! T