Hello HubSpot community,
Currently we are trying to implement starface into our HubSpot. Everything works quite fine for all Superadmins. Unfortunately, we get this notification:
Translation: The linking process could not be completed. Authorization failed because your user account does not have permission for the required areas (tickets). Please contact your account super administrator to request the necessary permissions.
When I go into the specific user permissions as a superadmin, I see the following:
As I do understand this, every permission is granted at highest level.
Does anyone know what may cause the problem?
Best regards
Ben
2 Accepted solutions
Hi @BFlory , the screenshot you shared is actually very helpful, and it points to something subtle but important in how HubSpot evaluates permissions during OAuth installs.
Even though the user shows “Alle Tickets” for view, edit, delete, and merge, HubSpot does not treat object permissions and seat entitlements as the same thing during OAuth authorization. For apps requesting the tickets scope, HubSpot checks two things at install time. First, the user must have permission to approve app scopes. Second, the user must hold a Service Hub seat that unlocks ticket access at the product level, not just via role permissions.
A Core seat alone is not always sufficient for ticket-scoped OAuth apps, even if it “includes starters” on paper. The Core seat allows access to many features, but ticket APIs are still gated behind Service Hub entitlements when used by external apps. That’s why Super Admins work and standard users do not, even when their permissions look identical in the UI.
A quick way to confirm this is to temporarily assign the affected user a Service Hub seat (even a lower tier), then retry the STARFACE connection. In most cases, the authorization succeeds immediately once the seat is present. HubSpot documents this behavior implicitly under OAuth scope approval and object access, where product access is evaluated separately from role permissions (https://developers.hubspot.com/docs/api/working-with-oauth).
One more thing to double-check: make sure the authorizing user is the one completing the OAuth flow. Even if a Super Admin enabled Marketplace permissions globally, the individual user approving the app must personally meet the seat and scope requirements.
Hope this helps clarify why everything looks “green” in permissions, yet the install still fails.
Did my answer help? Please mark it as a solution to help others find it too.
 | Ruben Burdin HubSpot Advisor Founder @ Stacksync Real-Time Data Sync between any CRM and Database |
 | |
Hi @BFlory , the screenshot you shared is actually very helpful, and it points to something subtle but important in how HubSpot evaluates permissions during OAuth installs.
Even though the user shows “Alle Tickets” for view, edit, delete, and merge, HubSpot does not treat object permissions and seat entitlements as the same thing during OAuth authorization. For apps requesting the tickets scope, HubSpot checks two things at install time. First, the user must have permission to approve app scopes. Second, the user must hold a Service Hub seat that unlocks ticket access at the product level, not just via role permissions.
A Core seat alone is not always sufficient for ticket-scoped OAuth apps, even if it “includes starters” on paper. The Core seat allows access to many features, but ticket APIs are still gated behind Service Hub entitlements when used by external apps. That’s why Super Admins work and standard users do not, even when their permissions look identical in the UI.
A quick way to confirm this is to temporarily assign the affected user a Service Hub seat (even a lower tier), then retry the STARFACE connection. In most cases, the authorization succeeds immediately once the seat is present. HubSpot documents this behavior implicitly under OAuth scope approval and object access, where product access is evaluated separately from role permissions (https://developers.hubspot.com/docs/api/working-with-oauth).
One more thing to double-check: make sure the authorizing user is the one completing the OAuth flow. Even if a Super Admin enabled Marketplace permissions globally, the individual user approving the app must personally meet the seat and scope requirements.
Hope this helps clarify why everything looks “green” in permissions, yet the install still fails.
Did my answer help? Please mark it as a solution to help others find it too.
| | Ruben Burdin HubSpot Advisor Founder @ Stacksync Real-Time Data Sync between any CRM and Database |
| | |
Hello, Can you confirm that the authorizing user has a Service Hub Seat?
This could be caused by OAuth seat requirements if the user doesn't have the correct seat to provide the tickets scope.
Let me know if this helps, or if you have any other questions!
✔️ Was I able to help answer your question? Help the community by marking it as a solution.
| Brandon Woodruff Still have questions? Reach out at brandon@pearagon.com 
|
Hey Brandon,
The user has the license "Core":
Shouldn't it be fine this way, since it includes all the "starters":
Hi @BFlory,
This screenshot does not indicate a user permission issue. Instead, it relates to who has the authority to approve the scopes requested by STARFACE.
For apps that need the tickets scope and often additional CRM scopes, HubSpot only allows users with App Marketplace Access or Super Admin rights to approve these scopes. Ensure your account has this permission.
Glad I could help.
Solving HubSpot puzzles is what we do.
Ernesto // GiantFocal
Found this answer helpful?
Marking it as the solution helps both the community and me - thanks in advance!
Solving HubSpot puzzles is what we do.
Ernesto // GiantFocal
Found this answer helpful?
Marking it as the solution helps both the community and me - thanks in advance!
Hi @GiantFocal ,
I went to the following settings in HubSpot and turned on every thing that had to do with market place:
Unfortunately this did not seem to be enough to change it. The message still appeared when we wanted to connect it.
