OAuth Scopes and Endpoints
Required Scopes and Endpoint Domains for HubSpot
When integrating with HubSpot, your application needs specific permissions to interact with the API.These permissions are defined by access scopes, which determine what data your application can access and what actions it can perform.
This topic provides information about the required access scopes and endpoint domains for the HubSpot add-in.
Understanding Scopes
Scopes are a way to limit an application's access to a user's data. They define the specific actions that an application can perform on behalf of the user.
For example, a read-only scope might allow an application to view data, while a full access scope might allow it to modify data.
Required Scopes for HubSpot
| Scope | Description |
| automation | Access automation workflows. Required for read and write access. |
| business-intelligence | Access endpoints that sit on top of sources and email. Required for read and write access. |
| cms.source_code.read_write | Provides the ability to upload and download templates, modules, and other files that developers need to write the code for websites and emails. Required for write access. |
| collector_graphql_query_execute | Query data from your HubSpot account using the GraphQL API endpoint. Required for read and write access. |
| collector_graphql_query_read | Perform introspection queries via GraphQL application clients such as GraphQL. Required for read and write access. |
| content | Access sites, landing pages, CTA, email, blog, and campaigns. Required for read and write access. |
| conversations.read | View details about threads in the conversations inbox. Required for read and write access. |
| conversations.visitor_identification.tokens.create | Fetch identification tokens for authenticated website visitors interacting with the HubSpot chat widget. Required for read and write access. |
| crm.import | Allows you to import records into your CRM. This includes creating new records or modifying any of your existing records for all CRM data types (contacts, companies, deals, tickets, etc). It doesn't include archiving or deleting any data. Required for read and write access. |
| crm.lists.read | View details about contact lists. Required for read and write access. |
| crm.lists.write | Create, delete, or make changes to contact lists. Required for write access. |
| crm.objects.companies.read | View properties and other details about companies. Required for read and write access. |
| crm.objects.companies.write | View properties and create, delete, or make changes to companies. Required for write access. |
| crm.objects.contracts.read | View properties and other details about contacts. Required for read and write access. |
| crm.objects.contracts.write | View properties and create, delete, and make changes to contacts. Required for write access. |
| crm.objects.deals.read | View properties and other details about deals. Required for read and write access. |
| crm.objects.deals.write | View properties and create, delete, or make changes to deals. Required for write access. |
| crm.objects.owners.read | View details about users assigned to a CRM record. Required for read and write access. |
| crm.schemas.companies.read | View details about property settings for companies. Required for read and write access. |
| crm.schemas.companies.write | Create, delete, or make changes to property settings for companies. Required for write access. |
| crm.schemas.contacts.read | View details about property settings for contacts. Required for read and write access. |
| crm.schemas.contacts.write | Create, delete, or make changes to property settings for contacts. Required for write access. |
| crm.schemas.deals.read | View details about property settings for deals. Required for read and write access. |
| crm.schemas.deals.write | Create, delete, or make changes to property settings for deals. Required for write access. |
| e-commerce | Access e-commerce features. Required for read and write access. |
| files | Access File Manager. Required for read and write access. |
| forms | Access the Forms endpoints. Required for read and write access. |
| forms-uploaded-files | Download files submitted through a form. Required for read and write access. |
| hubdb | Access HubDB. Required for read and write access. |
| integration-sync | This exposes the sync API, which allows syncing of most CRM objects. Required for read and write access. |
| oauth | Basic scope required for OAuth. Required for read and write access. |
| sales-email-read | Grants access to read all details of one-to-one emails sent to contacts. Required for read and write access. |
| settings.user.read | Retrieves users and user roles from a HubSpot account. Required for read and write access. |
| settings.user.teams.read | Retrieves teams from a HubSpot account. Required for read and write access. |
| social | Access Social Inbox. Required for read and write access. |
| tickets | Access tickets. Required for read and write access. |
| timeline | Grants access to manage custom events on HubSpot CRM records. This includes creating or updating records. Required for read and write access. |
| transactional-email | Access transactional emails and the transactional emails endpoints. Required for read and write access. |
Understanding Endpoint Domains
Endpoint domains are the specific URLs that the application needs to communicate with in order to authenticate, retrieve records, and perform other essential operations.
Allowlisting these domains ensures that the network traffic between your application and the API is not blocked by firewalls or security settings.
Note: Most users do not need to make any special configurations. Allowlisting is typically only necessary for environments with strict security measures, such as restricted outbound network traffic.
Required Endpoint Domains for HubSpot
| Domain | Always Required | Description |
| api.hubspot.com | TRUE | The base URL for the HubSpot API. |
| app.hubspot.com | FALSE | The domain used for performing OAuth authorization for HubSpot. |