New permission requirements for installing public apps
What's changing?
Beginning onMonday, October 16th, theApp Marketplace Access permissionwill be required for the first install of anypublic app. This change will affect any HubSpot user installing any public app, when the app has not been previously installed in the HubSpot account.
Currently, this permission is required when installing apps from theHubSpot App Marketplace. Going forward, this permission will be required when installing any integration, including apps installed from third-party websites.
TheApp Marketplace Access permissionwill be required in addition to any other permissions required to install the app, based on the scopes being requested from the app.
This permission is automatically included with super admin permissions, so this change will not affect super admin users.
What's changing?
The App Marketplace Access permission will be required to install an app any time an app requests new OAuth scopes. This will include new installs when the app hasn't been granted any scopes.
Once an app is installed, it can be re-installed by the same user or other users without the App Marketplace Access permission, as long as the installation does not request any new scopes. Re-installations will still allow your app to get a new OAuth refresh and access token for the new user with any requested scopes that have been previously approved for the account.
If any scopes not previously approved for the app in the HubSpot account are requested, the user will need to have the App Marketplace Access permission to approve and complete the installation.
This update will have no effect on installations completed before this change. Any existing refresh tokens will continue to work as they already do, and reinstallations of apps that are already installed will not require the App Marketplace Access permission unless new scopes are requested. Any apps that are uninstalled from an account will be treated as a brand new app with no granted permissions the next time a user tries to install it.
Since this permission is already required for installing apps directly from the HubSpot App Marketplace, this change will not affect installing apps from the marketplace if the install button goes directly to the OAuth install process. However, this will affect apps listed in the marketplace where the install button links to your external site, and then the user is directed to the install URL from your site.
The App Marketplace Access permission will not be required for apps that only request theoauthscope by itself. This will only apply if theoauth scope is the only scope requested with thescope=parameter. If any other scopes are included, or if any scopes are included in theoptional_scope=parameter, the App Marketplace Access permission will be required to install the app.
Why is this happening?
This change ensures that the permissions required to install an app are the same for apps listed in the marketplace as well as unlisted apps, and makes sure the same permissions are required regardless of where the installation is initiated from. This also makes sure that HubSpot super admins have full control over who is allowed to install apps in their HubSpot account.
When is this happening?
This change will go into effect onMonday, October 16th.
Please let us know if you have any questions by replying below.
New permission requirements for installing public apps
Could you share what the experience would be for a user that does not have the correct permissions? Is it an error page? Will you call the OAuth callback URL with a failure response? Unsure if there is a new scenario we need to handle in our app and less than two weeks notice on the changes.
How would you recommend that — from inside our own marketplace app — we determine if a user has the permission to grant us new scopes? If we add a new feature that requires additional scopes, we need to prompt them to re-install with the updated scopes but now it seems that much fewer HS accounts will be able to do that?