Announcement: Scopes will be required for apps using webhooks or CRM Extensions

Dadams · ‎Nov 13, 2019

Data security and privacy are very important to us here at HubSpot. Over the coming months, we'll be making updates to our app platform that will help customers better understand what data can be accessed by any apps they're connecting to their HubSpot account.

As part of this ongoing effort, we are making a change to the scope requirements for apps using webhooks or CRM extensions. Starting today, new apps or existing apps that are not already using these features will be required to request the scopes for any objects that those features are set up for.

What is changing?

Any apps using webhooks or CRM extensions will be required to request the contacts or tickets scopes, depending on the configuration of those features.

For webhooks, this will mean that the contacts scope will be required if there are any webhook subscriptions set up for the app.

For CRM Extensions, the contacts scope will be required if there are any CRM cards with the target record types of contacts, companies, or deals. The tickets scope will be required if there are any CRM cards with the target record type of tickets.

These scopes will be enforced when adding either of these features to your app. When enabling these features inside the app settings in your developer account, you will see a message asking you to add the appropriate scope to your app before you will be allowed to enable the feature. When accessing these features through the API, you will receive an error from the request if the appropriate scopes are not already added to your app settings.

Additionally, you will need to include the appropriate scopes in your authorization URL that users will use when installing your app.

Why is this happening?

Requiring these scopes will make it explicit to users that your integration will have access to the data in their HubSpot CRM and Service Hub. Including the scopes in the authorization URL will cause the scopes to be displayed to the user connecting the app, and will require them to approve access before your integration will start receiving CRM data through webhooks or CRM extension fetch requests.

When is this happening?

We will begin enforcing these scopes for new apps or apps not currently using webhooks or CRM extensions beginning today. If you currently have an active integration that uses these features, we'll be reaching out directly with more details about updating your app.

See the CRM Extensions overview and Webhook overview for more details about the scope requirements for these features, and see the OAuth documentation for details on updating the scopes in your authorization URL.

Please let us know if you have any questions by replying below.

pabloolvcastro · ‎Mar 13, 2020

Hey guys,

I'd like to know, What's gonna happen with the current users which have authorized the Third-party app (our application) to access their accounts, but didn't have updated the authorization for the new scopes?
Are you guys finishing the current connections and request re-authorization? Or just not accepting those connections until the users properly allow access to the new scopes?

My main concern is to communicate that to the users. If this will required them to disconnect and reconnect to reauthorize on our Application. Or if you guys will do that all over the Hubspot app.

Thank you.

artem1 · ‎Feb 19, 2020

Does this apply only to apps using webhook subscriptions on contacts or also, say, on deals? Would they need to be re-authorized?

paycove_rich · ‎Nov 20, 2019

Hey guys,

I'm just noticing that the url for further documentation is dead: https://d.pr/free/i/AwA3xw

Any chance you could provide an updated url?

Cheers,

Rich

Dadams · ‎Nov 21, 2019

Hi Rich, sorry about that, and thanks for reporting this. All of the links have been fixed and should point to the correct docs.

paycove_rich · ‎Nov 21, 2019

Excellent! Thank you!

APIs & Integrations