You do not have the correct role to grant these permissions. Please contact your administrator



We are essentially blocked from developing an integration due to this error.

  1. We signed up for a Developer Account 2752939
  2. We created a test application 38482
  3. We created a test Hub 4392066

The application requires contact and timeline scopes.
My Super Admin account is able to authenticate and I can access the API to perform various functions.

I invited other engineers to the hub and they get the above error.
They have access to Contacts and Sales. Which roles am I missing to get this to work please?

Engagement TASK ownerId vs createdBy

Hi @jimig,

Are they trying to install the app into a different test portal? App installations are portal-wide, so if they're users in the test portal they shouldn't need to change their settings or anything.

If they need to be able to install the app in other test portals, they'll need full read/write CRM permissions in the test portal they're installing the app to. If you give me the user(s) in question, I can check their permissions and let you know what they might be missing.


Hi Derek,

The app is already installed as an integration.
Each user logs in separately to grant access to their contacts and timeline. During this process, we get the error.

The user in question is Veselin Kulov


Hi @jimig,

That's not how the OAuth2 flow works; integrations are installed portal-wide a single time. It's not possible to build user-specific integrations on the Going through the OAuth2 install flow again with a new user will just result in a re-install attempt, which may/may not work based on the user's permissions. If you've successfully installed the app to a particular HubSpot portal, and the integration has the contacts scope, then the integration has access to all contacts in the portal, regardless of owner.

Here's a useful resource for understanding the HubSpot OAuth2 flow; the HubSpot flow is number one, the Authorization Code Flow:


Thanks for clarifying @Derek_Gervais

The HubSpot admin initially connects the account and we request contacts permission from them (for Hub-wide sync), as well as timeline. So far so good.

Next, we authenticate each user and capture their basic profile (email address, name) and request permission to post timeline events. Think of this as a "Login with HubSpot" button.

  1. Are you suggesting that merely placing a user through the OAuth flow re-install the integration each time? If so, is there a way to authenticate standard users without that?

  2. If the admin grants timeline, does it grant for the entire team?


Hi @jimig,

  1. That's not really a supported use case; you could send each new user through the OAuth flow again, but that would essentially be re-installing the integration over and over. If any of the users didn't have sufficient permission to install the app, you'd run into this error again. There isn't currently any user-specific authentication flow, so I'd recommend against trying to replicate a 'Login with HubSpot' functionality. This is something that HubSpot would love to implement, but I don't have any info on timeframes yet.
  2. Yes, scopes are granted by an admin for the entire portal. If the timeline scope is granted, your integration has access to the timeline API. This is completely user independent.


Thanks Derek.

How do we do things like logging engagements on behalf of an owner that isn’t the hub owner?


Derek, we've found the Owners API and will put this to use to solve our use case. Thanks for your assistance.

It might be worthwhile clarifying the documentation regarding the contacts scope- that full permissions are needed.