We have created our own app. In first step creating app, we have choose “private app” ( One off Only my portal will get value out of this amazing app).
Hi @dadams! I built an integration that works fine with the Hubspot testing account but gives out the “don’t have permission … contact administrator…” when trying to integrate with a regular Marketing account. Hub ID of the development account is 3460349. The Hub ID of the regular account I am trying to link to the app is 3856364. The app I built is called Datavalidation and is in the developer account. We are ready to release this integration to our clients once this is cleared. Many thanks!
@varun@Tamas_Pal Are you trying to authorize your developer account? or a separate test portal? Developer accounts won’t be to install any apps, so if that is the case you’d need to create a test portal for any testing you want to do:
Test portals can be used to test your integration without affecting your live HubSpot data.
Otherwise, if you’re authenticating your production account, double check to make sure that the scopes you’re requesting are available for the type of account you’re trying to authorize. There’s a list of the scopes and the accounts they’d work for here:
https://app.hubspot.com/oauth/authorize - Initiate authentication for an app using OAuth 2.0
If you’re using a scope that should work with your account and still seeing that message, can you send me your Hub ID and the scopes you’re requesting so I can take a look?
Hi guys, I’m having this exact same problem, anybody found a solution?
for our developer account, I’m the Account administrator and
Developers administrator
for our own Hubspot account, I’m the Account administrator
Sales administrator
I’m admin for both, so don’t understand why i’m getting this “Uh oh!
You do not have the correct role to grant these permissions. Please contact your administrator.” error.
@dadams I’m also facing this issue. I created an APP in a dev account, and selected the just the “contacts” scope in the app panel. And I’m sure that I’m passing the exact same scope to HubSpot. Getting the authorization code works perfectly fine. I can even see in the URL for the Authorization page the scope passed:
@dadams Our app does use these scopes when they are available. We do provide access to read information from the Blog API for instance. However, as you stated, if the specific portal being used does not have access to that information, it returns an error. We do not currently have special handling for these kinds of errors, but it is something that is a better user experience than nothing working.
We could either throw a more explicit error indicating that the portal being used does not have access to the features. Or we could also just return no information and not error.
@dadams Currently we do not have any handling for portals with limited scopes. We submit the scopes “events-rw settings-rw contacts-rw offline” for every portal. This appears to work without issue. I can also add blog-rw, and keyword-rw to what is requested without it causing a problem for the returned oauth token. I do not currently see any changes in the dialog for authorization when I do this.
@Casey_Thompson is your app actually using all of those scopes? For example, you’re using the Blog API, and a CRM-only portal connects to your app, the portal could authorize the connection, but you’d get an error if you tried to make requests against the Blog API. Does your app currently have any special error handling for that type of error?
@dadams We tried implementing the new OAuth 2.0 changes in our tool, but the flow does not work fluidly across different portals. We get the same error mentioned in the OP depending on scopes specified and what type of portal the user selects.
We tried an App where we requested all five scopes from the standard HubSpot test portal available for all developers. This one returns just fine.
We tried the same App where we requested all five scopes for a Sales portal. This results in the error from the OP “You do not have the correct role to grant these permissions”.
We tried the same App against a Sales portal with just the “contacts” and “timeline” scope in the request. This time it works correctly.
We tried the same App against a developer portal using the “contacts” and “timeline” scope. It throws the same error as the OP.
We tried the same App against the developer portal using just the “timeline” scope. This time it works correctly.
The problem with this model is that you have to know what kind of portal the user is going to select before they log into HubSpot to get an access token. They could select one that has what you requested available, or something that has less. This means there is a very low probability to configure something that will work for a given user, and no possibility to design something that will work for everyone.
Is there no way for HubSpot to ignore the scopes that are not even available, similar to how the OAuth 1.0 implementation worked?
@Casey_Thompson there’s not a good way to tell what scopes a portal will have ahead of time (outside of knowing which type of portal the user wants to authenticate with before sending them to the OAuth flow), and we’ll be taking another look at that flow.
Can you tell me more about how your app is currently handling portals that have limited scopes?
@geniiweb the scopes you request in the authorization URL should exactly match the scopes you have selected for the app in the app settings, so if you’re only including the contacts scope in the URL, you’d also only want the contacts scope checked for the app.
@dadams Thank you very much for the quick reply. I was able to install the app. I matched the scopes exactly from the URL with the ones from the app settings. However, I have another problem. After installing the APP, I added a contact through the API (using the API key), but I do not see it in my test portal where the app is installed. I know for sure that the contact has been added because I can retrieve it through API calls. How can I see in my test portal the data that I am adding through the API?
Also worth mentioning is that I tested also through the Hubspot Demo Portal and there I was able to see the contacts that I added through the API.
API keys are portal specific, so you’ll need to make sure that you’re looking in the same portal that you’re using the API key for. If you’re working with test portals inside your developer account, each individual test portal has it’s own API key, so you’d need to generate and use the key for the specific portal that you’re logged into and looking at the Contacts Dashboard.
I’m also getting this error. I have two accounts. One is developer account other is plain.
I can grant permissions for developer account but not for plain. Why it is?