{"id":"fbd44329-86af-4cff-93f0-108f78a4d6f2","task":"Use the HubSpot OAuth scopes model and private app tokens to implement least-privilege access for a CRM integration","domain":"developers.hubspot.com","steps":["Enumerate the exact HubSpot API scopes your integration needs by reviewing the permissions table for each API endpoint you call","For a server-to-server integration create a Private App in HubSpot and select only the required scopes at creation time","Copy the private app token from the Auth tab and store it securely; use it as a Bearer token in the Authorization header","For user-installed integrations implement the standard OAuth 2.0 authorization code flow, requesting only required scopes in the authorize URL","Handle token refresh using the refresh token against the HubSpot token endpoint before the access token expires","Periodically audit the scopes in use; remove scopes that are no longer needed to reduce the blast radius of a credential leak"],"gotchas":["Private app tokens do not expire by default but are instantly invalidated if rotated or if the app is deleted; build a rotation mechanism that updates all dependent services atomically","Some HubSpot APIs require portal-level admin approval of a scope at install time even if the token technically includes it; test with a real install flow, not just a private app","Scopes granted at OAuth install time cannot be expanded without prompting the user to re-authorize; design the initial scope list carefully to avoid mid-lifecycle re-auth prompts"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/fbd44329-86af-4cff-93f0-108f78a4d6f2"}