401 Error with User-Level OAuth Token for mcp.hubspot.com

Hi @sejal_parikh ,

I’m building a centralized AI hub for enterprises where they can interact with different models using their enterprise data.

1. Do you have plans to support public use? If so, any ETA would be helpful.
2. If there are no plans yet, our use case is very similar to your existing ChatGPT connector. Could you provide a special setup similar to what you did for ChatGPT?
3. If neither of the above is possible, could you provide some guidance on setting up a connector on top of the existing architecture?

Additional context:

• The app needs to be public so that multi-user OAuth is possible.
• How should we manage user permissions? The access token reflects the permissions granted at the time of initialization, but if a user’s permissions are later revoked, the token may still allow access. This creates a risk of resources being accessed through the AI even though the user no longer has access. Any guidance on how to properly validate user access would be very helpful.

Thanks

@keurcien  There isn’t any documentation available for it yet. I came across it through their blog and decided to test it out - https://product.hubspot.com/blog/unlocking-deep-research-crm-connector-for-chatgpt.

I’m hoping it will be available for public apps as well, so we don’t need to handle granular token access ourselves and can rely on the built-in permission model instead.

Hi @Jigar_Thakker ,

Thanks for the reply. I followed the steps from the docs, but I'm still getting the same error. Actual values are replaced with $VALUES for brevity.

1. OAuth URL

https://app.hubspot.com/oauth/authorize?response_type=code&client_id=$CLIENT_ID&redirect_uri=$REDIRECT_URI&scope=oauth&optional_scope=$OPTIONAL_SCOPE&state=$STATE

Here is the OAuth screen for your reference.

2. Token Exchange

curl -X POST "https://api.hubapi.com/oauth/v1/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "grant_type=authorization_code" \
     -d "code=$AUTH_CODE" \
     -d "client_id=$CLIENT_ID" \
     -d "client_secret=$CLIENT_SECRET" \
     -d "redirect_uri=$REDIRECT_URI"

3. Verified the access token metadata

curl -X GET "https://api.hubapi.com/oauth/v1/access-tokens/$ACCESS_TOKEN" \
     -H "Authorization: Bearer $ACCESS_TOKEN"

Response:

{
  "token": "...",
  "user": "...",
  "hub_domain": "...",
  "scopes": [
    "oauth",
    "crm.objects.contacts.read",
    "crm.objects.contacts.write",
    "crm.objects.companies.write",
    "crm.objects.companies.read",
    "crm.objects.deals.read",
    "crm.objects.deals.write",
    "crm.objects.owners.read"
  ],
  "signed_access_token": {
    "expiresAt": 1755802709136,
    "scopes": "...",
    "hubId": ...,
    "userId": ...,
    "appId": ...,
    "signature": "...",
    "scopeToScopeGroupPks": "...",
    "newSignature": "...",
    "hublet": "...",
    "trialScopes": "",
    "trialScopeToScopeGroupPks": "",
    "isUserLevel": false,
    "installingUserId": ...,
    "isServiceAccount": false,
    "isPrivateDistribution": false
  },
  "token_type": "access",
  "user_id": ...,
  "app_id": ...,
  "hub_id": ...,
  "is_private_distribution": false,
  "expires_in": 1798
}

4. But when I tried to initialize the MCP client with that access token, it is throwing the same error.

"Error POSTing to endpoint (HTTP 401): This endpoint requires a user level OAuth token"

Let me know if you need any other details.

Facing this same issue. Would love to hear an update. The docs feel lacking atm

Hi @elie222,

Thank you for posting to the Community!

Were you able to test out @Jigar_Thakker's Accepted Solution above? If so, where are you getting stuck? Can you share the steps you've taken thus far? 

Thank you!

Cassie, Community Manager

Loop Marketing is a new four-stage approach that combines AI efficiency and human authenticity to drive growth. Learn More