APIs & Integrations

Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

Hello, I’m attempting to verify that my company’s HubSpot OAuth2 app can be integrated with our clients’ HubSpot accounts. I understand that CRM-only HubSpot accounts do not have access to scopes that are only available to Marketing HubSpot accounts.

I have no problem authorizing with the Test Portal that’s set up alongside our Dev Account. However, I’m not able to authorize our app when using a dummy HubSpot account (Hub Portal ID: 3306102) with these products: HubSpot Marketing Free, HubSpot CRM, and HubSpot Sales Free. Specifically, I get this error:

Uh oh!
You do not have the correct role to grant these permissions. Please contact your administrator.

The HubSpot OAuth API documentation denotes the optional_scope parameter which has this description:

Optional scopes will be automatically dropped from the authorization request if the user selects a HubSpot account that does not have access to that tool (such as requesting the social scope on a CRM only portal).

Our app does request permission for Marketing-only scopes, namely “content”, “reports”, “automation”, and “forms”. I added those scopes to the optional_scope param as per the documentation.

The resultant OAuth URL looks like this:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<redacted>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts%20content%20reports%20automation%20forms&state=<redacted>

Attempting to initiate OAuth access using this URL with the optional_scope param also results in the permissions error I noted above.

I attempted to make all the scopes optional:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<redacted>&optional_scope=contacts%20content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts%20content%20reports%20automation%20forms&state=<redacted>

But again, this results in the same error.

I’ve found similar issues, one of which has a note saying it was resolved:

I'm attempting to authenticate Hubspot with OAuth2 using the automation, contacts, and content scopes and getting this message on the redirect URL : "Uh oh! You do not have the correct role to grant these permissions. Please contact your administrator.". I believe I'm logged into our administrator account when running this request. Any help in resolving this would be appreciated.

Am I misunderstanding the purpose of optional scopes? Any insight into this error would be appreciated. Thanks in advance!

27 Replies 27
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@mattstitch Just out of curiosity does it work if you remove it from the call? The state is not a supported parameter on our calls.

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

@pmanca It’s an app with multiple tenants, some of whom may be non-Marketing. The app fetches data from the API endpoints for Contacts, Forms, etc. I believe this part of the HubSpot OAuth documentation is applicable:

If your app can work with multiple types of HubSpot accounts, you can use the optional_scope parameter to include any scopes you work with that only apply to marketing accounts, so that customers using CRM accounts can still authorize your app. Your app will be responsible for checking for and handling any scopes that you didn’t get authorized for.

Is optional_scope appropriate for our use case?

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

What is this at the end of your call?

&state=<redacted>
0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

Hey @pmanca – please see my last reply. I changed the request to initiate OAuth access based upon your suggestion, but that just gives a different error. Is it possible to connect a non-Marketing Hubspot portal to an application with some Marketing-only scopes, as long as those Marketing-only scopes are optional? If so, how should the OAuth URL be formatted?

Thanks again for your help!

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@mattstitch What is your app that you are installing trying to do? Are you trying to perform marketing related activities? Does the install work on a portal that has the marketing tools.

Yes it is possible but you need to make sure the actions the app is taking will not conflict with the scopes.

0 Upvotes
Not applicable

Optional Scopes and "You do not have the correct role to grant these permissions."

Thanks for the response @pmanca.

I believe I am an admin in the portal I’m trying to install the app into. In my user preferences page it says “Marketing Administrator”, “Sales Administrator”, and “Account Administrator”.

They should be in one group. optional or not.

Do you mean each scope should be in one group or the other? The “contacts” scope appears to be permissible for Marketing and/or CRM accounts, and the other scopes are Marketing-only.

My new URL looks like this:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<redacted>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts&state=<redacted>

Doing this results in a different error:

Uh oh!
Insufficient scopes were provided. Please contact the integrator.

The application I’m trying to integrate with has the following scopes:

Read from and write to my Contacts
Read from and write to my Content
Read from and write to my Reports
Read from and write to my Workflows
Read from and write to my Forms

0 Upvotes
3PETE
HubSpot Employee
HubSpot Employee

Optional Scopes and "You do not have the correct role to grant these permissions."

@mattstitch

Are you an admin in the portal you are trying to install the app into?
Also both the URLs have all of the scopes required in addition to be optional.

&scope=contacts%20content%20reports%20automation%20forms

They should be in one group. optional or not.

0 Upvotes