Permissions error trying to install our own APP


@plytix you’re seeing webhooks for that portal that were set up for your app with ID 36676? I haven’t tested that personally but I’ll check with the engineers who are working on this fix.


@dadams yes, we are receiving webhooks from portalId 250707 in our app id 36676. I configured the app as “private app” (One off Only my portal will get value out of this amazing app) so I do not understand how another portalId can install and use this app…


Just wanted to see if there was an update on this issue. I am seeing the same error.
I think I have my scopes setup properly.


We are also seeing similar error while trying to connect to CRM portal:

  1. selecting CRM Portal:
  2. getting error like this:

Is this the same issue?



I am experiencing hte same issue:

A response of: { error_description: ‘missing or invalid scopes’,
error: ‘invalid_request’ }

In response to a request something like:

I suspect it has something to do with having created a trial account alongside my dev account. Using the dev account caused me to get the warning like the screenshot from OP.

Let me know if you want more repro steps or anything.

It sounds like my trial account is not allowed to use the API, and this bug is stopping my dev account from authorizing. So i did not need to create trial account. Is this all right?


I am wondering what is going on with this. I have found this discussed in at least two other tickets, both of which seemed to end with private messages between you and the user.

I do not believe it has to do with my app permissions:

I am trying to rapidly upgrade/replace our old integration running on oauth1. For now I am using the hapi-key but I will need this sorted out by mid next week if possible. Do you know if this has been an issue caused by the user/request format or by something in your system as you suspected in a couple places?

Let me know if i can help with any more details or by attempting different url formats.



I’m also getting this error. I have two accounts. One is developer account other is plain.
I can grant permissions for developer account but not for plain. Why it is?


@plytix Sorry for the delay on this, the issue you were seeing with OAuth 2 and CRM-only portals should be fixed, so you should be able to grant the contacts scope to your portal.


@111 What scopes are you using for this? Can you message me with the two Hub IDs you’re testing?


Thank you. I think issue was fixed when we bought “marketing” tool.




I have created a new app (id 37389) and I am trying to install it in my test portal (id 2645075).

I am accessing
and everything is fine. I see the list of permissions.

However, when I click on grant access I am taken to this page:

Please advise.

Kind regards,


@geniiweb the scopes you request in the authorization URL should exactly match the scopes you have selected for the app in the app settings, so if you’re only including the contacts scope in the URL, you’d also only want the contacts scope checked for the app.


@dadams Thank you very much for the quick reply. I was able to install the app. I matched the scopes exactly from the URL with the ones from the app settings. However, I have another problem. After installing the APP, I added a contact through the API (using the API key), but I do not see it in my test portal where the app is installed. I know for sure that the contact has been added because I can retrieve it through API calls. How can I see in my test portal the data that I am adding through the API?

Also worth mentioning is that I tested also through the Hubspot Demo Portal and there I was able to see the contacts that I added through the API.


API keys are portal specific, so you’ll need to make sure that you’re looking in the same portal that you’re using the API key for. If you’re working with test portals inside your developer account, each individual test portal has it’s own API key, so you’d need to generate and use the key for the specific portal that you’re logged into and looking at the Contacts Dashboard.


Thank you. I generated a new API key from my test portal and everything worked fine.


I am using oauth, and I am getting a 20X response code. 204 i believe.


I will attempt to test it more today and provide a better reproduction case.


@dadams We tried implementing the new OAuth 2.0 changes in our tool, but the flow does not work fluidly across different portals. We get the same error mentioned in the OP depending on scopes specified and what type of portal the user selects.

  • We tried an App where we requested all five scopes from the standard HubSpot test portal available for all developers. This one returns just fine.

  • We tried the same App where we requested all five scopes for a Sales portal. This results in the error from the OP “You do not have the correct role to grant these permissions”.

  • We tried the same App against a Sales portal with just the “contacts” and “timeline” scope in the request. This time it works correctly.

  • We tried the same App against a developer portal using the “contacts” and “timeline” scope. It throws the same error as the OP.

  • We tried the same App against the developer portal using just the “timeline” scope. This time it works correctly.

The problem with this model is that you have to know what kind of portal the user is going to select before they log into HubSpot to get an access token. They could select one that has what you requested available, or something that has less. This means there is a very low probability to configure something that will work for a given user, and no possibility to design something that will work for everyone.

Is there no way for HubSpot to ignore the scopes that are not even available, similar to how the OAuth 1.0 implementation worked?


@Casey_Thompson there’s not a good way to tell what scopes a portal will have ahead of time (outside of knowing which type of portal the user wants to authenticate with before sending them to the OAuth flow), and we’ll be taking another look at that flow.

Can you tell me more about how your app is currently handling portals that have limited scopes?


@dadams Currently we do not have any handling for portals with limited scopes. We submit the scopes “events-rw settings-rw contacts-rw offline” for every portal. This appears to work without issue. I can also add blog-rw, and keyword-rw to what is requested without it causing a problem for the returned oauth token. I do not currently see any changes in the dialog for authorization when I do this.