oAuth - redirect_Uri/scope


we are a third party system which need to integrate into Hubspot via an API to load contacts. From our system the users just needs an updated or not indicator as to whether that contact was created.
Now I don’t know what to put under redirect URI because this is all seamless to the user - they don’t need to be redirect

Another thing is what are the pre-defined scope values that must be used in the API - what are the values recognised by Hubspot


Hi @carolynebrownlee,

When a user is installing your app, they’ll be sent to an account selection screen to pick the account they want to install the app in. After they select, they’ll be sent to the redirect uri you specify (where you’ll then grab the code parameter that’s appended to the URL). This process only occurs when the app is being installed.

Regarding scope values; the following developer doc outlines the available scopes:


HI Derek

This is all in the backend so there is no login screen and the redirect URI is not required.

I want to simply integrate from a system to send a message to hubspot and hub spot to create the contact.

There is NO user interaction with this integration.

Do you only allow grant type of “authorisation code” or could I sent through the username and password for immediate valiation



Hi @carolynebrownlee,

The HubSpot OAuth flow only allows the authorization_code grant type. If you’re using OAuth, you need an initial user interaction to install the app to a portal. It’s similar to installing a program to your computer; the program might function without any login or user interaction, but the user still needs to install the application to begin with. The following developer doc covers the process of installing an app in a bit more detail:

After the installation process, you can use the access/refresh tokens to do everything else without any user interaction. If you’re looking to avoid the OAuth process, you could also authenticate your requests with a portal’s API key:


Hi Derek

I now understand what you are saying and I am making progress with the integrations my side.
The concern is will the auth code ever expire? I just did a test now and found this is what is being return.
This is going to be an issue - isn’t this meant to be one off at installation

Please let me know



Hi @carolynebrownlee,

Access tokens expire every 6 hours, but refresh tokens do not expire. When your access token expires, you’ll need to use your refresh token to get a new access token:


Perfect – Thanks for the response