Announcement: Scopes will be required for apps using webhooks or CRM Extensions

November 13, 2019

Data security and privacy are very important to us here at HubSpot. Over the coming months, we'll be making updates to our app platform that will help customers better understand what data can be accessed by any apps they're connecting to their HubSpot account.

As part of this ongoing effort, we are making a change to the scope requirements for apps using webhooks or CRM extensions. Starting today, new apps or existing apps that are not already using these features will be required to request the scopes for any objects that those features are set up for.

What is changing?

Any apps using webhooks or CRM extensions will be required to request the contacts or tickets scopes, depending on the configuration of those features.

For webhooks, this will mean that the contacts scope will be required if there are any webhook subscriptions set up for the app.

For CRM Extensions, the contacts scope will be required if there are any CRM cards with the target record types of contacts, companies, or deals. The tickets scope will be required if there are any CRM cards with the target record type of tickets.

These scopes will be enforced when adding either of these features to your app. When enabling these features inside the app settings in your developer account, you will see a message asking you to add the appropriate scope to your app before you will be allowed to enable the feature. When accessing these features through the API, you will receive an error from the request if the appropriate scopes are not already added to your app settings.

Additionally, you will need to include the appropriate scopes in your authorization URL that users will use when installing your app.

Why is this happening?

Requiring these scopes will make it explicit to users that your integration will have access to the data in their HubSpot CRM and Service Hub. Including the scopes in the authorization URL will cause the scopes to be displayed to the user connecting the app, and will require them to approve access before your integration will start receiving CRM data through webhooks or CRM extension fetch requests.

When is this happening?

We will begin enforcing these scopes for new apps or apps not currently using webhooks or CRM extensions beginning today. If you currently have an active integration that uses these features, we'll be reaching out directly with more details about updating your app.

See the CRM Extensions overview and Webhook overview for more details about the scope requirements for these features, and see the OAuth documentation for details on updating the scopes in your authorization URL.

Please let us know if you have any questions by joining the discussion in our community.