APIs & Integrations

Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

Hello, I’m attempting to verify that my company’s HubSpot OAuth2 app can be integrated with our clients’ HubSpot accounts. I understand that CRM-only HubSpot accounts do not have access to scopes that are only available to Marketing HubSpot accounts.

I have no problem authorizing with the Test Portal that’s set up alongside our Dev Account. However, I’m not able to authorize our app when using a dummy HubSpot account (Hub Portal ID: 3306102) with these products: HubSpot Marketing Free, HubSpot CRM, and HubSpot Sales Free. Specifically, I get this error:

Uh oh!
You do not have the correct role to grant these permissions. Please contact your administrator.

The HubSpot OAuth API documentation denotes the optional_scope parameter which has this description:

Optional scopes will be automatically dropped from the authorization request if the user selects a HubSpot account that does not have access to that tool (such as requesting the social scope on a CRM only portal).

Our app does request permission for Marketing-only scopes, namely “content”, “reports”, “automation”, and “forms”. I added those scopes to the optional_scope param as per the documentation.

The resultant OAuth URL looks like this:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<redacted>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts%20content%20reports%20automation%20forms&state=<redacted>

Attempting to initiate OAuth access using this URL with the optional_scope param also results in the permissions error I noted above.

I attempted to make all the scopes optional:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<redacted>&optional_scope=contacts%20content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts%20content%20reports%20automation%20forms&state=<redacted>

But again, this results in the same error.

I’ve found similar issues, one of which has a note saying it was resolved:

I'm attempting to authenticate Hubspot with OAuth2 using the automation, contacts, and content scopes and getting this message on the redirect URL : "Uh oh! You do not have the correct role to grant these permissions. Please contact your administrator.". I believe I'm logged into our administrator account when running this request. Any help in resolving this would be appreciated.

Am I misunderstanding the purpose of optional scopes? Any insight into this error would be appreciated. Thanks in advance!

27 Replies 27
Vamsivinay119
Participant | Diamond Partner
Participant | Diamond Partner

Optional Scopes and "You do not have the correct role to grant these permissions."

Hi @pmanca This issue is solved. I figured out the scopes needed and it worked. Thanks.

Vamsivinay119
Participant | Diamond Partner
Participant | Diamond Partner

Optional Scopes and "You do not have the correct role to grant these permissions."

Hi @pmanca ,

I am the Super Admin for my test portal which is a Sales Free and Marketing Enterprise.

I am trying to install a custom integration and provided all the scopes which were selected in the app's details page.

https://app.hubspot.com/oauth/authorize?client_id=xxxxx-xxxx-xxx-xxxx-xxxx&scope=content%20forms%20a...

I am ended up with Uh oh! You do not have the correct role to grant these permissions. Please contact your administrator.

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@Vamsivinay119 Is the portal you are installing this into have all of the products that you are requesting access to? You could be an admin but if you're portal doesn't have workflows then it will through an error when you try and install an app that is requesting access to it.

0 Upvotes
HP
Participant

Optional Scopes and "You do not have the correct role to grant these permissions."

Hi,

I’m trying to get Oauth to work with my Enterprise level portal. This is the URL I’m using but it always returns the error ‘Insufficient scopes were provided’.
In the app, every scope is ticked bar ‘social’.

Can anyone see what I’m doing wrong?

https://app.hubspot.com/oauth/authorize?client_id=CLIENTID&scope=contacts%20content%20reports%20automation%20timeline%20forms%20files%20hubdb%20transactional-email&redirect_uri=https://www.hubspot.com
0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

I am having a similar problem with a customer’s account (I don’t have direct access). Our app requests for “content”, “reports”, “social”, “automation”, “forms” as required scopes and “contacts”, “timeline”, “files” as optional scopes. All the scopes are requested via oauth call and not through settings (all the scopes are unchecked in settings)

This worked with the demo account and our own accounts but when a marketing only account try to go through the oauth flow the customer is getting “you do not have the correct role to grant these permissions”.

Where do we go from here to fix the problem?

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@Ka-Hing_Cheung That error might be occurring if the person trying to install the app does not have administrator permissions on the portal to do so. That sounds more like a permissions issue then a scope issue.

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

Where is that permission setup? The user is both “marketing administrator” and “account administrator”. In the other instance the user is just “marketer”

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@Ka-Hing_Cheung It is the portal settings under the roles and users.

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

Could you be more specific? Like I said, one of the accounts is “marketing administrator” and “account administrator” already.

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

Is the portal you are trying to install it into a Pro or Enterprise portal? As they would need workflows for the automation scope.

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

This is from our customers so I don’t know the answer to that, but I can ask. Could you tell me where they would see if they have “workflows for the automation scope”?

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@Ka-Hing_Cheung You need to figure out if they have the Pro or Enterprise version of HubSpot.

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

@pmanca That appears to have worked – I was able to successfully authorize the app with a non-Marketing HubSpot portal. Thanks for your patience in clarifying that issue for me and my team.

Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

@pmanca I believe removing the state query param has no effect.

https://app.hubspot.com/oauth/<portalid>/authorize?client_id=<reacted>optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

^ that URL still results in

Uh oh!
Insufficient scopes were provided. Please contact the integrator.

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@mattstitch Can you print out the full error from the console?

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

@pmanca No problem. When attempting to authenticate our HubSpot app through a test portal, our application directs a user to:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<client-id>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

On that page, I believe this failing XHR is the important one – a POST request to

https://api.hubapi.com/oauth/v1/application-authorizations?portalId=<portal-id>&clienttimeout=7000

which returns a 400 with this response body:

{
  "status": "MISSING_SCOPE_GROUP",
  "message": "client requires more scopes",
  "correlationId": "dbcbe0ab-1bf3-4ed8-be38-1e9dce75f302",
  "requestId": "65a70a56b5e5b21931fd40f340e0aa76"
}

Here is the POST body:

{
  "clientId": "<client-id>",
  "hubId": <portal-id>,
  "optionalScopes": [
    "content",
    "reports",
    "automation",
    "forms"
  ],
  "redirectUri": "<callback-url>",
  "responseType": "code",
  "scopes": [
    "contacts"
  ]
}

It looks like the query parameters from the initial request are being properly ferried to the /application-authorizations endpoint. It’s not clear what additional scopes are required – the only one I required (contacts) was the only non-Marketing one.

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@mattstitch If you check any of the below scopes then they need to be required scopes. Your requests are correct but you might need to change your app settings. Any optional_scopes must be handled in your code and not through the app.

Your code is asking it as an optional scope but your app settings are overriding it as a required scope.

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

@pmanca Ah, I think I finally understand. Our HubSpot app settings need to define the minimum set of scopes that our app requires. The optional_scope param can be used to request additional scopes. I don’t think I realized that the app settings needed to match the scope param in the OAuth authorization URL.

Concretely, our app settings should only have Contacts checked, and then our users will authorize our app at this URL:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<client-id>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

which will give us permission to access the optional scopes as well: Content, Reports, Automation, and Forms. If the user’s HubSpot portal does not support any of those optional scopes, our app will of course not be able to access those resources, but for Marketing HubSpot users, our app will have access.

Am I understanding correctly?

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@mattstitch yes that sounds correct to me. Let me know if that works please

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

@pmanca It’s an OAuth 2.0 base64 state string, which contains some of our app state and a signed nonce.

0 Upvotes