403 Forbidden when updating CRM object property via hubspot.fetch in UI Extension

SPrakash37 · ‎Oct 9, 2025

Hi HubSpot Support,

I’m calling hubspot.fetch from a CRM UI Extension to PATCH a custom object record and receiving a 403 Forbidden. I’m not including portal or app details here — please advise on the minimal required scopes/permissions and the correct approach to update a pipeline-stage (or equivalent) property from a UI extension.

Below is the exact client-side code I’m calling from the extension (relative path via hubspot.fetch):

// Example used inside a CRM UI Extension
const path = `/crm/v3/objects/2-143370794/${encodeURIComponent(objectId)}`;

const res = await hubspot.fetch(path, {
  method: 'PATCH',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    properties: {
      hs_pipeline_stage: String(nextInternal) // stage internal id
    }
  })
});

const text = await res.text();
console.log('status', res.status, text);

Questions:

What OAuth scopes are required so a UI Extension can PATCH custom object records (and specifically update pipeline-stage properties)?
Is a special scope needed to update pipeline/stage properties (system-managed or protected fields)?
Are there any additional installation steps or portal/user permissions required for the hubspot.fetch proxy to allow PATCH (e.g., reinstallation after changing scopes)?
If updating a pipeline requires a different payload (e.g., setting pipeline id + stage id together), please share the exact minimal PATCH payload format.
If there are internal restrictions preventing UI extensions from updating certain properties, please explain recommended alternatives.

Please respond with the minimal required scopes and the recommended PATCH payload/approach (or configuration steps) so I can fix this from the extension side. Thanks.

Mike_Eastwood · ‎Oct 9, 2025

Hi @SPrakash37

Hubspot Fetch is not designed to directly access the CRM. It is designed for external API calls.

Are you building a Private App (used only on your HubSpot Portal) or a Public App (for the Marketplace)?

A Private App will let you access Portals directly using a Serverless Function but it's not suitable for wider distribution (on multiple portals - a Public App). And, this is a legacy feature so I wouldn't rely on it if you are building a long term solution.

This will help decide your best approach:

https://developers.hubspot.com/docs/apps/developer-platform/build-apps/authentication/overview

There is a way a Public App (that uses OAuth) can grant a token to access the CRM directly (for a short time) via the API but I cannot find the page in the docs.

Have fun

Mike

p.s. thank you for the mention @chighsmith

Here to learn more about HubSpot and share my HubSpot Knowledge. I'm the founder of Webalite a Gold HubSpot Partner Agency based in Wellington, New Zealand and the founder of Portal-iQ the world's first automated HubSpot Portal Audit that helps you work smarter with HubSpot.

View solution in original post

Mike_Eastwood · ‎Oct 9, 2025