Oauth2 Access Denied


I am currently trying to implement the Oauth2 workflow but I am running into issues in which the Oauth2 would always return a Forbidden while trying to exchange the code to get an access token. But the response from the https://api.hubapi.com/oauth/v1/token endpoint.

I am currently using Marketing FREE, so how can get API access while developing Oauth Apps for Hubspot?

Many thanks.


Hi @kengie

Do you have any more details for the error you’re getting when trying to exchange the code? You should be able to see more details in the body of the error response.

For testing, you can create a test portal from your developer portal that would have limited access to most of the paid marketing features.


Hi @dadams,

Thank you for your reply.

For testing, I was also using that ‘How do I create a test portal?’ and still I’m getting the same error.

The error is HTTP Forbbidden and the Content of the message is:

Access Denied

Access Denied

You don’t have permission to access “http://api.hubapi.com/oauth/v1/token” on this server.

Reference #18.21d36068.1502458365.1d2f572f

The REST Endpoint I am using is https://api.hubapi.com/oauth/v1/token as listed on the HubSpot Oauth2 document.

Do you need my account and client Id to see what is wrong with my account?

Many thanks.


I’m getting the same error. I’ve verified my client ID, secret, same redirect_uri as the auth request, correct code.

Something must be broken on the backend because the error references http when I’m definitely calling https.

In my case I’m using an app in an active, live HubSpot account. It’s an older app but that isn’t supposed to make a difference.

After some experimentation, I believe this is being caused by using an IP instead of a domain in the redirect_uri.

This will make it somewhat more difficult to test locally, but I’m pretty sure that’s the issue. (For me, at least.)

Okay, I can verify that it was the domain that was the issue. Using an IP as the domain will cause this error.


Thanks, @Silarn for the heads up.

I did try to use a domain name instead of an IP address but it seems still not work. Although I did add a port at the end of the redirect_uri (e.g. https://www.example.com:11111), but I don’t think the port should affect it at all.

It is strange as I was able to see my code in the callback to my server but I only get access denied when trying to exchange my code for a access token. But then again, I’m on a Marketing FREE and also created a TEST Hubspot trial and still access denied.


@kengie It’s possible the port would affect it. Try hitting the API without the port using postman or something.

You’ll get an actual JSON response (with an error telling you it’s not a claimed redirect URI) instead of that generic error page.

Honestly, either this is a bug in the token endpoint - or the first auth method needs to be updated to restrict invalid return URIs.


Thank you @Silarn. It seems that you are right.

I tried to use the Oauth2 without IP:port and it does allow me to be authorized and I was able to get back the JSON string.

It is working now. Many thanks!


No problem! Had to figure it out for myself, too. :slight_smile: