Users may have seen permission errors when re-authing apps that migrated from OAuth1 to OAuth2 due to the restrictive nature of OAuth2 scopes.

Over the last year HubSpot has been working to deprecate our support for OAuth 1 in favor of OAuth 2, requiring any and all integrations using OAuth 1 to migrate over. Because OAuth 1 and OAuth 2 handle scopes slightly differently, some users may be running into permission errors when trying to re-authenticate certain integrations. Specifically, after selecting a portal, users might see this page: 

It’s important to note that the actual permissions have not changed; rather, the approval process has shifted. OAuth 1 allowed users to approve scopes that weren’t available given their product tier. Even though they could approve the scopes, the API requests to those APIs would fail. With OAuth 2, users will no longer be able to approve scopes if they don’t have access to the relevant scopes.

What does this mean?

If you or your users are seeing that page and the user installing the integration is an admin in HubSpot, it’s possible that the portal doesn’t have access to all the scopes that the integration requires. For example, Marketing Free portals will be unable to install integrations that require ‘Marketing Only’ scopes (listed here: https://developers.hubspot.com/docs/methods/oauth2/initiate-oauth-integration#scopes).

What do I do?

If the offending scopes are necessary for the integration to function, it’s not possible for a portal without proper access to install them. If the integration can function without them, these scopes should be requested as optional scopes, which would allow portals without access (like HubSpot Marketing Free portals) to install them. If you’re a user with questions regarding a specific integration, we encourage you to connect with the support team for the respective integrator so their specialists can help you dig in further.

Questions? Join the discussion here or https://help.hubspot.com/.