Hello,
I am currently facing an issue when trying to connect an external application to HubSpot.
The application only requests the following OAuth scopes in the installation URL:
crm.objects.owners.read
crm.schemas.companies.write
crm.schemas.companies.read
crm.schemas.contacts.write
crm.schemas.contacts.read
crm.objects.contacts.write
crm.objects.contacts.read
crm.objects.companies.write
crm.objects.companies.read
However, during the authorization process, HubSpot displays a much broader set of required permissions, including:
App Marketplace access
Workflows > Delete
Workflows > Edit
Workflows > Enroll
Workflows > Publish
Account Access
Marketing Access
Sales Professional
Add and edit teams
Segments > Edit
Partner Admin
Edit property settings
These permissions appear unrelated to the scopes defined by the application and are significantly broader than expected.
Because of this, users are prompted to grant permissions that the application does not actually request or require.
Additionally, I have noticed that sometimes HubSpot asks for scopes that are supposed to be conditional scopes for the installed application. From my understanding, these scopes should only be requested if certain features are used or enabled, but they still appear during the authorization process.
My questions are:
Why are these additional permissions being displayed during the authorization process when they are not included in the requested OAuth scopes?
Could this behavior be related to account-level permissions, app configuration, or HubSpot portal settings?
Why are scopes that are supposed to be conditional still being requested during installation?
Is there a way to ensure that only the scopes explicitly requested by the application are shown to the user?
Any clarification would be greatly appreciated.
Thank you for your help.
