Skip to main content

OAuth is a secure means of authentication that uses authorization tokens rather than a password to connect your app to a user account. Initiating OAuth access is the first step towards allowing users to install your app in their HubSpot accounts.

  • The OAuth Quickstart Guide will get you up and running with a working example app.
  • This HubSpot Academy tutorial provides a quick introduction on using OAuth with HubSpot, including a breakdown of the HubSpot-OAuth flow and how to refresh an access token.

To initiate an integration with OAuth 2.0:

MyHubSpotApp

  • Use the client ID and client secret, along with the query parameters and scopes outlined below, to build your authorization URL.

  • Send users installing your app to the authorization URL, where they'll be presented with a screen that allows them to select their account and grant access to your integration. You can set the authorization URL to be for a specific HubSpot account by adding the account ID between /oauth/ and /authorize, as shown below. After granting access, they'll be redirected back to your application via a redirect_url, which will have a code query parameter appended to it. You'll use that code and the client secret to get an access_token and refresh_token from HubSpot.

    • Example authorization URLs
      • Any account: https://app.hubspot.com/oauth/authorize?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&scope=contacts%20automation&redirect_uri=https://www.example.com/
      • Specific account (ID 123456): https://app.hubspot.com/oauth/123456/authorize?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&scope=contacts%20automation&redirect_uri=https://www.example.com/
    • Example redirect URL:https://example.com/?code=xxxx
    • Example error: https://www.example.com/?error=error_code&error_description=Human%20readable%20description%20of%20the%20error
  • Use the access_token to authenticate any API calls made for that HubSpot account.

  • Once the access_token expires, use the refresh_token to generate a new access_token.

The following parameters are required when building an authorization URL for your app:

ParameterDescriptionHow to use
Client IDclient_id=xUsed in the URLGet this from your app's Auth settings page (as described above).
Redirect URLredirect_uri=xThe URL visitors will be redirected to after granting access to your app.You'll also designate this on your app's Auth settings page.Note: For security reasons, this URL must use https in production. (When testing using localhost, http can be used.) You also must use a domain, as IP addresses are not supported.
Scopescope=x%20xA space-separated set of permissions that your app needs access to. Any scopes that you've checked off in your app's Auth settings will be treated as required, and you'll need to include them in this parameter or the authorization page will display an error.Additionally, users will get an error if they try to install your app on an account that doesn't have access to an included scope.See the Scopes table below for more details about which endpoints can be accessed by specific scopes.

The following parameters are optional:

ParameterHow to useDescription
Optional scopes&optional_scope=x%20xA space-separated set of optional permissions for your app. Optional scopes will be automatically dropped from the authorization request if the user selects a HubSpot account that does not have access to that tool (such as requesting the social scope on a CRM only portal). If you're using optional scopes, you will need to check the access token or refresh token to see which ones were granted. See the table below for more details about scopes.
State&state=yIf this parameter is included in the authorization URL, the value will be included in a state query parameter when the user is directed to the redirect_url.A string value that can be used to maintain the user's state when they're redirected back to your app.

OAuth requires you to set scopes, or permissions, for your app. Each scope provides access to a set of HubSpot API endpoints and allows users to grant your app access to specific tools in their HubSpot account.

granular-scopes-selection

Access to specific APIs or endpoints depends on HubSpot account tier. You can find a full list of available scopes and accessible endpoints in the table below. If your app can work with multiple types of HubSpot accounts, you can use the optional_scope parameter to include any tiered scopes you work. This way, customers using CRM-only accounts can still authorize your app, even if they can't access all of its scopes. Your app must check for and handle any scopes that it doesn't get authorized for.

ScopeDescriptionProvides access toRequired account tier
cms.domains.readIntegrators can list CMS domains in a customer's account.CMS APIAny account
cms.domains.writeIntegrators can create, update, and delete CMS custom domains.CMS APIAny account
cms.functions.readIntegrators can view all CMS serverless functions, any related secrets, and function execution results.CMS APICMS Hub Enterprise
cms.functions.writeIntegrators can write CMS serverless functions and secrets.CMS APICMS Hub Enterprise
cms.knowledge_base.articles.readView details about knowledge articles.CMS APIService Hub Professional or Enterprise
cms.knowledge_base.articles.writeGrants access to update knowledge articles.CMS APIService Hub Professional or Enterprise
cms.knowledge_base.articles.publishGrants access to update and publish knowledge articles.CMS APIService Hub Professional or Enterprise
cms.knowledge_base.settings.readView general and template knowledge base settings, such as the domain or root URL.CMS APIService Hub Professional or Enterprise
cms.knowledge_base.settings.writeGrants access to update general and template knowledge base settings. This includes write access to knowledge articles.CMS APIService Hub Professional or Enterprise
cms.performance.readIntegrators can view CMS performance data for all your sites.CMS APIAny account
crm.lists.readView details about contact lists.List endpointsAny account
crm.lists.writeCreate, delete, or make changes to contact listsList endpointsAny account
crm.objects.companies.readView properties and other details about companies.Companies endpointsAny account
crm.objects.companies.writeView properties and create, delete, or make changes to companies.Companies endpointsAny account
crm.objects.contacts.readView properties and other details about contacts.Contacts endpointsAny account
crm.objects.contacts.writeView properties and create, delete, and make changes to contacts.Contacts endpointsAny account
crm.objects.custom.readView details about custom objects in the HubSpot CRM.Custom objects endpointsAny Enterprise
crm.objects.custom.writeCreate, delete, or make changes to custom objects in the HubSpot CRM.Custom objects endpointsAny Enterprise
crm.objects.deals.readView properties and other details about deals.Deal endpointsAny account
crm.objects.deals.writeView properties and create, delete, or make changes to deals.Deal endpointsAny account
crm.objects.feedback_submission.readView details about submissions to any of your feedback surveys.Feedback survey endpointsService Hub Professional or Enterprise
crm.objects.goals.readView all goal types.Goals endpointsSales Hub Starter, Professional, or Enterprise
crm.objects.line_items.readView properties and other details about line itemsLine items endpointsAny account
crm.objects.line_items.writeCreate, delete, or make changes to line items.Line items endpointsAny account
crm.objects.marketing_events.readView details about marketing events.Marketing events endpointsAny account
crm.objects.marketing_events.writeCreate, delete, or make changes to marketing events.Marketing events endpointsAny account
crm.objects.owners.readView details about users assigned to a CRM record.Owners endpointsAny account
crm.objects.quotes.readView properties and other details about quotes and quote templates.Quote endpointsAny account
crm.objects.quotes.writeCreate, delete, or make changes to quotes.Quote endpointsAny account
crm.schemas.companies.readView details about property settings for companiesProperties endpointsAny account
crm.schemas.companies.writeCreate, delete, or make changes to property settings for companies.Properties endpointsAny account
crm.schemas.contacts.readView details about property settings for contacts.Properties endpoints.Any account
crm.schemas.contacts.writeCreate, delete, or make changes to property settings for contacts.Properties endpointsAny account
crm.schemas.custom.readView details about custom object definitions in the HubSpot CRM.Custom objects endpointsAny Enterprise
crm.schemas.deals.readView details about property settings for deals.Properties endpointsAny account
crm.schemas.deals.writeCreate, delete, or make changes to property settings for deals.Properties endpointsAny account
crm.schemas.line_items.readView details about line items.Line items endpointsAny account
crm.schemas.quotes.readView details about quotes and quotes templates.Quote endpointsAny account
settings.billing.writeMake changes to your account's billing settings. This includes managing and assigning paid seats for users.Settings endpointsAny account
settings.currencies.readReads existing exchange rates along with the current company currency associated with your portal.Account information endpointsAny account
settings.currencies.writeCreate, update and delete exchange rates along with updating the company currency associated with your portal.Account information endpointsAny account
settings.users.readView details about account users and their permissions.User Provisioning endpointsAny account
settings.users.writeManage users and user permissions on your HubSpot account. This includes creating new users, assigning permissions and roles, and deleting existing users.User Provisioning endpointsAny account
settings.users.teams.readSee details about the account's teams.User Provisioning endpointsAny account
settings.users.team.writeAssign users to teams on your HubSpot account.User Provisioning endpointsAny account
account-info.security.readIncludes access to account activity logs and other account security information.Account activity APIAny account
accountingAllows HubSpot and the accounting integration to share invoice, product, and contact details.Accounting Extension APIAny account
actionsAdd forms to the contact's pages that do custom actions.CRM Extensions APIAny account
analytics.behavioral_events.sendIncludes access to send custom behavioral events.Analytics APIMarketing Hub Enterprise
automationThis includes workflows.Automation API (Workflows endpoints)Marketing Hub Professional or Enterprise
behavioral_events.event_definitions.read_writeCreate, read, update, or delete behavioral events. This includes behavioral event properties.Analytics APIMarketing Hub Enterprise
business_units.view.readView business unit data, including logo information.Business Units APIBusiness Units Add-on
business-intelligenceThis includes endpoints that sit on top of sources and email.Analytics APIAny account
collector.graphql_query.executeQuery data from your HubSpot account using the GraphQL API endpointGraphQL API endpointCMS Hub Professional or Enterprise
collector.graphql_schema.readPerform introspection queries via GraphQL application clients such as GraphiQLGraphiQL and other 3rd party GraphQL clientsCMS Hub Professional or Enterprise
communication_preferences.readView details of your contacts' subscription preferences.Subscription Preferences APIAny account
communication_preferences.read_writeSubscribe/unsubscribe contacts to your subscription types. It won't subscribe contacts who have unsubscribed.Subscription Preferences APIAny account
communication_preferences.writeSubscribe/unsubscribe contacts to your subscription types. It won't subscribe contacts who have unsubscribed.Subscription Preferences APIAny account
contentThis includes sites, landing pages, email, blog, and campaigns.CMS API and Calendar, Email and Email Events endpointsCMS Hub Professional or Enterprise, or Marketing Hub Professional or Enterprise
conversations.readView details about threads in the conversations inbox.Conversations inbox and messages APIAny account
conversations.visitor_identification.tokens.createFetch identification tokens for authenticated website visitors interacting with the HubSpot chat widget.Visitor Identification APIAny Professional or Enterprise
conversations.writeSend messages in conversations. Create and update message threads.Conversations inbox and messages APIAny account
crm.exportExport records from your CRM for all CRM data types.CRM Exports APIAny account
crm.importAllows you to import records into your CRM. This includes creating new records or modifying any of your existing records for all CRM data types (contacts, companies, deals, tickets, etc). It doesn't include archiving or deleting any data.CRM Imports APIAny account
ctas.readAllows read access for CTAs.No publicAPI availableMarketing Hub or CMS Hub Starter, Professional or Enterprise
e-commerceThis includes access to e-commerce features.Products and line items endpointsAny account
external_integrations.forms.accessIncludes the ability to rename, delete, and clone existing forms.Forms endpointsAny account
filesThis includes access to File Manager.Files (File Manager) and file mapper (CMS templates, modules, and layout) endpointsAny account
files.ui_hidden.readView details or download user files, attachments, and system files from all HubSpot tools.Files (File Manager) and file mapper (CMS templates, modules, and layout) endpointsAny account
formsThis includes access to the Forms endpoints.Forms endpointsAny account
forms-uploaded-filesDownload files submitted through a form.Get a file uploaded via form submission endpointAny account
hubdbThis includes access to HubDB.HubDB endpointsCMS Hub Professional or Enterprise, or Marketing Hub Professional or Enterprise with Website Add-on
integration-syncThis exposes the sync API, which allows syncing of most CRM objects.Ecommerce Bridge APIAny account
media_bridge.readGrants access to events and objects from the media bridge.Media Bridge APIAny account
media_bridge.writeGrants access to create and update events and objects from the media bridge.Media Bridge APIAny account
oauthBasic scope required for OAuth. This scope is added by default to all apps.Any account
sales-email-readGrants access to read all details of one-to-one emails sent to contacts.Engagements endpointsNote: This scope is required to get the content of email engagements. See the Engagements overview for more details.Any account
socialThis includes Social Inbox.Social Media APIMarketing Hub Professional or Enterprise
ticketsThis includes access to tickets.Tickets endpointsAny accounbt
timelineGrants access to manage custom events on HubSpot CRM records. This includes creating or updating records.Timeline Events endpointsAny account
transactional-emailThis includes transactional emails and the transactional emails endpoints.Transactional email endpoints**Marketing Hub** Professional or Enterprise with Transactional Email Add-on