Developer Announcements

HubSpot Employee
HubSpot Employee

New permission requirements for installing public apps

What's changing?

Beginning on Monday, October 16th, the App Marketplace Access permission will be required for the first install of any public app. This change will affect any HubSpot user installing any public app, when the app has not been previously installed in the HubSpot account.


Currently, this permission is required when installing apps from the HubSpot App Marketplace. Going forward, this permission will be required when installing any integration, including apps installed from third-party websites.


The App Marketplace Access permission will be required in addition to any other permissions required to install the app, based on the scopes being requested from the app.


This permission is automatically included with super admin permissions, so this change will not affect super admin users.


What's changing?

The App Marketplace Access permission will be required to install an app any time an app requests new OAuth scopes. This will include new installs when the app hasn't been granted any scopes.


Once an app is installed, it can be re-installed by the same user or other users without the App Marketplace Access permission, as long as the installation does not request any new scopes. Re-installations will still allow your app to get a new OAuth refresh and access token for the new user with any requested scopes that have been previously approved for the account.


If any scopes not previously approved for the app in the HubSpot account are requested, the user will need to have the App Marketplace Access permission to approve and complete the installation.


This update will have no effect on installations completed before this change. Any existing refresh tokens will continue to work as they already do, and reinstallations of apps that are already installed will not require the App Marketplace Access permission unless new scopes are requested. Any apps that are uninstalled from an account will be treated as a brand new app with no granted permissions the next time a user tries to install it.


Since this permission is already required for installing apps directly from the HubSpot App Marketplace, this change will not affect installing apps from the marketplace if the install button goes directly to the OAuth install process. However, this will affect apps listed in the marketplace where the install button links to your external site, and then the user is directed to the install URL from your site.


The App Marketplace Access permission will not be required for apps that only request the oauth scope by itself. This will only apply if the oauth scope is the only scope requested with the scope= parameter. If any other scopes are included, or if any scopes are included in the optional_scope= parameter, the App Marketplace Access permission will be required to install the app.


Why is this happening?

This change ensures that the permissions required to install an app are the same for apps listed in the marketplace as well as unlisted apps, and makes sure the same permissions are required regardless of where the installation is initiated from. This also makes sure that HubSpot super admins have full control over who is allowed to install apps in their HubSpot account.


When is this happening?

This change will go into effect on Monday, October 16th.


Please let us know if you have any questions by replying below.


New permission requirements for installing public apps


I’m encountering an issue with the HubSpot token API.

Upon successful authentication with my public app, HubSpot sends a code to my backend, which I then exchange for a refresh token.

While this process has worked seamlessly for over 200 users,

I’ve recently observed that some users, despite having correct permissions (same as successfully previous authenticated users), are unable to connect.

Upon inspecting my logs, I noticed an error associated with the /oauth/v1/token endpoint.

This is where I attempt to exchange the received code from HubSpot for a refresh token.

The error details are as follows:

"correlationId": "a03b9ff5-06b4-4f2a-af19-f45f1b5c71e4",
"message": "missing or unknown auth code",
"status": "BAD_AUTH_CODE"

I’ve searched the forum for insights but haven’t found a solution.

Has anyone experienced this or have any suggestions on how to resolve it?

Thank you in advance for your assistance!


New permission requirements for installing public apps

  • Could you share what the experience would be for a user that does not have the correct permissions? Is it an error page? Will you call the OAuth callback URL with a failure response? Unsure if there is a new scenario we need to handle in our app and less than two weeks notice on the changes.
  • How would you recommend that — from inside our own marketplace app — we determine if a user has the permission to grant us new scopes? If we add a new feature that requires additional scopes, we need to prompt them to re-install with the updated scopes but now it seems that much fewer HS accounts will be able to do that?