I have a developer App which is authenticated with my portal. All Api requests are going through but when I try accessing custom objects with the access tokens i get a "403 Forbiden" with the following message:
Digging further into this, I was able to confirm that currently OAuth apps do not have create or edit access to custom objects, but they do have read access to the schemas. Therefore, if you are using OAuth to create the custom objects, a scope error will occur.
The reason is because giving apps create/edit access to schemas would allow apps to create custom objects for any portal in which they are installed. Custom objects are intended to be one-off and portal-specific. Allowing apps to create custom objects across any portal their app is installed in could lead to a messy experience for customers with many apps installed.
Hey @WendyGoh - in HubSpot test portals (e.g. portal 8582993) this same error message is returned when using OAuth to list (GET) records from CRM Custom Objects. Example:
I dont believe that is correct/expected as according to the documentation OAuth authenticated API calls should be able to read/write records. Making the same call using the API key works OK. These are the scopes that were granted to when running this test:
The entire thing should be rolled out as soon as possible on our enterprise subscription. But i am in the final testing stage on a test account. And custom objects are already available for us on both accounts (test and live).
Digging further into this, I was able to confirm that currently OAuth apps do not have create or edit access to custom objects, but they do have read access to the schemas. Therefore, if you are using OAuth to create the custom objects, a scope error will occur.
The reason is because giving apps create/edit access to schemas would allow apps to create custom objects for any portal in which they are installed. Custom objects are intended to be one-off and portal-specific. Allowing apps to create custom objects across any portal their app is installed in could lead to a messy experience for customers with many apps installed.
Thanks for digging into this, @WendyGoh . I just burned an hour trying to figure out the same issue, would it be possible to get the documentation updated to reflect this? Right now the CRM Custom Objects Schema docs show that the call should work with OAuth, and list an OAuth scope for the schema mutation calls.