Hi, @sachinr.

Generally speaking, an admin should be able to connect an application requesting the contacts scope if they have full access to all contact, company, and deal objects, per the definition in this article. This means they should have the following permissions in the Users & Teams section of your account settings:

I say "generally speaking" because permissions can be a bit more complex and there isn't always a 1:1 relationship to settings and toggles in the UI.

To fully diagnose the issue, I'll need to know the following:

1. Your app's ID.
2. The Hub ID of the account where you wish to install your app.
3. The email or userId of the user completing the installation flow. (If you don't want to spell out their entire email here, please specify their name or whatever comes before the @ symbol.)

Finally, you mention that "We need end users to authenticate so we can pull information on their behalf from HubSpot contacts, companies, and deals when rendering that information in our app." This is not the intention of the OAuth flow described here, nor is it possible.

As Derek describes in this post:

The existing OAuth system is not designed to act as a user-level auth process, nor is it intended to provide an authentication system for an external app. The system is intended to allow a single user to approve an app for an entire account.

Thus, if you want to surface data on contacts, companies, and deals to users in your external app, you must use your own authentication process before making API calls to your server and then to HubSpot (as most HubSpot APIs do not support CORS requests).

Thanks for the reply @IsaacTakushi!

Is the issue that @Derek_Gervais mentions with the contacts scope requiring Super Admins for Marketing/CRM Free Portals still an ongoing issue? That seems to be what I'm experiencing, but his post is back from August last year, so wasn't sure if that was ongoing or resolved.

So I understand that the idea is to have a super admin approve the application and to re-use their access token on behalf of all users in their portal, but when a user is using our application and we want to make a request to a HubSpot API on their behalf, how do we know which portal they are part of and which access token to use unless we have them oauth to HubSpot to at least get their portal id so we can match it with the super admin's portal and access token?

Hi, @sachinr.

I just found out that the issue Derek mentioned is still open. I won't bore you with the details, but we dropped the ball on our end Apologies.

Could you share the information I asked for above so I can notify the team that you're also likely affected? Here it is again:

1. Your app's ID.
2. The Hub ID of the account where you wish to install your app.
3. The email or userId of the user completing the installation flow. (If you don't want to spell out their entire email here, please specify their name or whatever comes before the @ symbol.)

To best answer your last question, I'll need a bit more context. Could you describe the nature of your application in more detail? Specifically, I want to know exactly what you mean by "make a request to a HubSpot API on their behalf." Are these users logging into an instance of your application and adding to and pulling information from their HubSpot production account, or your own?

Sure, app details here:

1. App ID: 186337

2. Hub ID: 5304870

3. User Email: ada@

So we've created an integration with our app, Notejoy, a collaborative note-taking application. Within HubSpot it adds a Notes card via a CRM Extension that lets you create, attach, view, and collaboratively edit notes within HubSpot. Authentication works fine in this case with just the original Super Admin authenticating for showing the card and we use our own cookie-based authentication for Notejoy when showing various iframes.

The issue comes in with the integration within Notejoy itself, where we have introduced a HubSpot Sidebar that allows our users to edit Hubspot contact, company, and deal details directly from Notejoy. While the Super Admin may have already connected via OAuth, the challenge is when a team member comes to Notejoy and tries to view and edit HubSpot contact/companies/deals, we do not no which HubSpot portal they belong to and therefore don't know which Super Admin access token to use, unless we have them also OAuth with HubSpot to at least get their portal id so we can identify which Super Admin access token that we have stored that we should be using. So in that case we have to use the OAuth API as an end-user OAuth API to just understand what team the end user is part of. Is there any alternative approach to this?

Hey, @sachinr.

Ada does have all the correct permissions in the UI to authenticate an app requiring the contacts scope, so I will share this information with the team. Hopefully, we'll get this issue resolved once and for all in the near future.

Thanks so much for the context! As we discussed, it's not possible for end-users to use the OAuth flow in that way, but I have an idea:

What if you asked for the user's Hub ID and checked their Notejoy login email against the users in that HubSpot account via the Owners API? Both this and this Get information endpoint return a hub_id  value, so looking up a stored OAuth access token should be easy enough. Cross-referencing the email would add another layer of security. If a user doesn't know their Hub ID, you can link to this resource.

Hi @IsaacTakushi,

I'm having exactly the same issue reported here. I can't authorize an app using an user that is not a super admin 😕

Are there any updates regarding this problem?

Here's the app details:

App ID: 189817

Hub ID: 4704893

User email: vinicius.sa@

Hi @IsaacTakushi, thanks for the quick reply.

I am trying to authorize the application in a non-free HubSpot account. The account is under Marketing Hub Professional and Sales Hub Professional plan.

So, per your description of the problem, this should not be happening, right?

Hi, @felipeecst.

It looks like you reached out to support and are working with Gabriel.

My colleague Connor is assisting Gabriel on our end. From what I gather, it appears that the issue is that Vinicius' user does not have lists access (In user settings: Marketing > Lists).

If this is the case, this is actually the same cause as discussed above. The only difference is that you can grant access to lists in the UI while free users cannot.

Does all of this mean that there is no account level authentication needed (or possible) via Hubspot for external apps?  I've got an Alexa app working through my hapiKey right at the moment, but I was planning on making it available to our sales team with the notion they'd be using their individual accounts with it.  I'm having a **bleep** of a time with account linking in the development version of the app that wwould use it rather than the ahpiKey and I'd sort of like to know if I am barking up the wrong tree. 

Is it possible for an individual user within our account to link his or her account to the Alexa app?

Hi, @nickmortensen.

Apologies for the delayed response. I have been out of the office. I'd be happy to clarify further.

It sounds like you're describing user-specific integrations or at least user-specific instances of an integration. This is not yet possible with HubSpot's authentication methods.

A single super admin or user with the proper permissions (scopes) connects an integration which can then be used by all account users with the connecting user's credentials.

In your case, all users would have to use the Alexa account of the super admin or user who connected the app.

I'm truly sorry if this is painful news. We are moving toward user-specific integrations, but I don't have a concrete timeline to share at this time.

Hi Isaac,

Hope you are doing well.

Just want to as a clarificationh here regarding the Oauth flow for non admin users.

So once a super admin installs and accepts the integration the other non admin users should be able to complete Oauth as well, or it is not how it works?
In other words, after the app is approved by super admin, how to make non-admin users use it? Simply use the refresh token generated from Oauth from the admin?
In other words, the generated token to be used in API should be shared accross all users who wants to use it or the access token should be generated for each non admin user?

Really appreciate your help.
Kind Regards,

- Yuriy

Hi, @yazla.

Happy to clarify.

Once a Super Admin (or other user with the proper role) connects an integration, it can be used by all users in the account, provided they have access to the corresponding tools. This is because the OAuth token granted has all the permissions that the Super Admin approved. Effectively, each integration will only have one valid OAuth token at a time, to be used by all users across the account.

For example, if I am a Super Admin and approve an integration that requires access to all content tools, any one of my colleagues who have access to these content tools can use the integration. If I have a colleague who only has access to sales tools, they will not be able to use the integration since it only uses the content tools in my HubSpot account.

Please let me know if I can clarify further!

Hi Isaac,

I have a question to clarify some of the things in this thread, I'm in a similar situation to some other users here. I'm building account linking with Alexa and Google Assistant to access data from a user's Hubspot instance, allowing them to ask user-specific questions including "How many open tickets are assigned to me". (In my actual app, I am using scopes: oauth, contacts, and tickets)

So for the Alexa app let's say, Alice goes home and asks her Alexa "Ask Hubspot Helper how many open tickets are assigned to me". Alexa presents Alice with the OAuth screen, she logs in, gets redirected, and now Alexa has an OAuth Access Token for her Hubspot access. My app receives that Access Token and can make API calls on behalf of Alice, including checking the token info to get her email address and filter tickets that she owns. (This is all working in my instance so far. It looks like this step also adds the integration to the Hubspot org)

Then Bob who is in the same organization goes home and does the same thing, so his Alexa has a new Access Token minted for his use. Does this affect Alice's OAuth token access? Can they both still filter for their own tickets with simulataneous usage of the app? 

I understand that there are some limitations based on a free account vs. a paid one. I'm assuming it is a paid account, so I'm more concerned with the behavior of the application based on who is logged in. If Alice is a superuser and Bob is not, what is the behavior of each of their OAuth tokens against the API? If Alice is not a superadmin but has enough access to approve the integration based on her scopes, does behavior change when a superadmin logs in later?

Appreciate the help!

Hi, @voicify_gavin.

These are good questions. I'm happy to clarify further.

Users can generate multiple valid access tokens by each completing the OAuth flow. Multiple authentications will not affect all tokens; each token inherits the permissions of the original user.

To be transparent, however, I haven't yet tested whether all access tokens for all users can be refreshed once they expire.

In your example, if you're requiring scope=oauth%20contacts%20tickets, then Alice and Bob's tokens will behave identically since they both must have full access to all CRM objects to connect your app.

With this said, the current HubSpot OAuth flow is not designed to support user-level integrations. As I note above, best practice is to have one valid OAuth token at a time for all users. In this scenario, you would have to obtain Alice and Bob's HubSpot user emails another way.

If you pursue generating separate access tokens for every user and these tokens cannot be refreshed once they expire, users who aren't the "last" person to auth the integration in an account will be forced to complete the OAuth flow again.

Please let me know if I'm making any sense or if you have additional questions.

Any updates on this? We would really like to be able to use oAuth per user instead of a single Super Admin account, but because this issue with fetching contacts, we can't. 

Is there any way of bypassing this issue for free tier customers? Our app will only ever fetch contacts, i.e. never create or update them if that's of any help.

Welcome, @Tegen.

To clarify, by "We would really like to be able to use OAuth per user," are you referring to user-specific integrations?

If so, these are still not supported. While we hope to support user-specific apps at some point, I cannot offer a concrete timeline.

The issue of non-Super Admins in Marketing or Sales Hub Free accounts failing to connect apps requiring the contacts scope is ongoing. At this time, there is no way to bypass the issue — a Super Admin must connect the integration.

I have reached out to the relevant team to stress the urgency of this issue. Thank you for your continued patience.

Hi @IsaacTakushi 

On July 10 2019 you mentioned "The issue of non-Super Admins in Marketing or Sales Hub Free accounts failing to connect apps requiring the contacts scope is ongoing. At this time, there is no way to bypass the issue — a Super Admin must connect the integration."

Is this still the case? We seem to be experiencing the exact same issue with our integration here in Feb 2021.

Thanks so much!

Best,

Taylor