4 Accepted solutions
Hello,
HubSpot scopes are mostly explicit and non-overlapping. To alloww the app the ability to read, I would suggest adding the crm.objects.contacts.read scope. not only will this confirm they have the correct access, but it will allow anyone else that reviews the app connection later to see quickly that the app is both reading and writting contact data.
Let me know if this helps, or if you have any other questions!
✔️ Was I able to help answer your question? Help the community by marking it as a solution.
| Brandon Woodruff Still have questions? Reach out at brandon@pearagon.com 
|
Hi @ManishCV
In order to read the HubSpot contact or any other object, you need to provide the read scope of that particular object. Providing the write will only let the user input the data into HubSpot, and they will not be able to read the object.
I hope this will help you out. Please mark it as Solution Accepted and upvote to help another Community member.
Thanks
Hi @ManishCV the short answer is no. In HubSpot, write scopes do not implicitly grant read access.
Scopes are explicit and additive.
If your private app only has contacts.write, the token can create or update contacts, but it cannot read existing contact data, list contacts, or fetch properties. Any attempt to do so will return a 403 with a missing-scope error. To read contacts, you must explicitly add contacts.read or the newer crm.objects.contacts.read scope, depending on the endpoints being used. HubSpot is very strict about this by design.
This is intentional from a security standpoint, especially in cases like yours where you’re sharing a private app token with a third party. If you only want them to push data into HubSpot and not see anything that’s already there, keeping write-only scopes is the correct and safest setup. Once you add a read scope, they’ll be able to fetch contact records, properties, and potentially search across your CRM.
One practical tip: even if today you think they “might need read later,” it’s usually better to keep scopes minimal and revisit if requirements change. Private app permissions are very visible in audit and security reviews, and explicit scopes make it much clearer what an integration is allowed to do.
Sounds like you’re already on the right track.
Did my answer help? Please mark it as a solution to help others find it too.
 | Ruben Burdin HubSpot Advisor Founder @ Stacksync Real-Time Data Sync between any CRM and Database |
 | |
Hi @ManishCV the short answer is no. In HubSpot, write scopes do not implicitly grant read access.
Scopes are explicit and additive.
If your private app only has contacts.write, the token can create or update contacts, but it cannot read existing contact data, list contacts, or fetch properties. Any attempt to do so will return a 403 with a missing-scope error. To read contacts, you must explicitly add contacts.read or the newer crm.objects.contacts.read scope, depending on the endpoints being used. HubSpot is very strict about this by design.
This is intentional from a security standpoint, especially in cases like yours where you’re sharing a private app token with a third party. If you only want them to push data into HubSpot and not see anything that’s already there, keeping write-only scopes is the correct and safest setup. Once you add a read scope, they’ll be able to fetch contact records, properties, and potentially search across your CRM.
One practical tip: even if today you think they “might need read later,” it’s usually better to keep scopes minimal and revisit if requirements change. Private app permissions are very visible in audit and security reviews, and explicit scopes make it much clearer what an integration is allowed to do.
Sounds like you’re already on the right track.
Did my answer help? Please mark it as a solution to help others find it too.
| | Ruben Burdin HubSpot Advisor Founder @ Stacksync Real-Time Data Sync between any CRM and Database |
| | |
Hi @ManishCV
In order to read the HubSpot contact or any other object, you need to provide the read scope of that particular object. Providing the write will only let the user input the data into HubSpot, and they will not be able to read the object.
I hope this will help you out. Please mark it as Solution Accepted and upvote to help another Community member.
Thanks
Hello,
HubSpot scopes are mostly explicit and non-overlapping. To alloww the app the ability to read, I would suggest adding the crm.objects.contacts.read scope. not only will this confirm they have the correct access, but it will allow anyone else that reviews the app connection later to see quickly that the app is both reading and writting contact data.
Let me know if this helps, or if you have any other questions!
✔️ Was I able to help answer your question? Help the community by marking it as a solution.
| Brandon Woodruff Still have questions? Reach out at brandon@pearagon.com
|
