OAuth Scope Approval
When you install the QuickBooks Invoicing integration, HubSpot will ask you to approve specific permissions (OAuth scopes) that allow the app to access your HubSpot data. This page explains what each permission means and why it’s needed.
Understanding OAuth Scopes
OAuth scopes define what data the integration can access in your HubSpot account. They follow the principle of least privilege - we only request the minimum permissions necessary for the integration to function.
Important: All requested scopes are read-only. The integration does not modify, create, or delete any data in your HubSpot CRM.
Approval Screen
During installation, you’ll see a screen similar to this:
What You’ll See on the Approval Screen
The OAuth approval screen displays:
- App Name: “QuickBooks Invoicing” at the top
- Account Selector: Dropdown if you have multiple HubSpot accounts
- Permissions List: Each scope with a checkbox
- Scope Descriptions: What each permission allows
- Action Buttons: “Connect app” (approve) and “Cancel”
Note: All checkboxes must remain checked to complete installation. Unchecking any scope will cause installation to fail.
The screen will display:
- App name (QuickBooks Invoicing)
- List of requested permissions
- Description of each permission
- Connect app button to approve
Required Scopes
The integration requests the following scopes:
1. OAuth (oauth)
Permission Level: Base OAuth authentication
What it allows:
- Establishes secure authentication between HubSpot and the integration
- Enables token-based API access
- Required for all OAuth-based integrations
Why we need it:
- Foundation for all API communication
- Enables secure, authorized access to HubSpot data
- Manages authentication tokens and session
Data accessed: None directly - this is just the authentication framework
2. Contact Read (crm.objects.contacts.read)
Permission Level: Read-only access to contacts
What it allows:
- Read contact names (first name, last name)
- Access contact email addresses
- View contact company associations
- Read contact phone numbers
- Access billing address information
Why we need it:
- Sync HubSpot contacts to QuickBooks customers
- Populate customer information on invoices
- Display contact details in invoice creation form
- Match contacts to existing QuickBooks customers
Data accessed:
- Contact properties:
firstname,lastname,email,phone,company - Contact associations to deals
- Billing address fields
What we DON’T do:
- ❌ Modify contact records
- ❌ Create new contacts
- ❌ Delete contacts
- ❌ Change contact properties
3. Deal Read (crm.objects.deals.read)
Permission Level: Read-only access to deals
What it allows:
- Read deal names and amounts
- Access deal stage information
- View deal associations (contacts, line items, quotes)
- Read deal properties
Why we need it:
- Display deal information on the QuickBooks Invoices card
- Calculate invoice amounts based on deal values
- Access quoted amounts for invoice creation
- Track which deals have been invoiced
Data accessed:
- Deal properties:
dealname,amount,dealstage - Deal associations to contacts and quotes
- Currency information
- Deal creation and modification dates
What we DON’T do:
- ❌ Modify deal properties
- ❌ Change deal stages
- ❌ Create or delete deals
- ❌ Update deal amounts
4. Line Items Read (crm.objects.line_items.read)
Permission Level: Read-only access to line items
What it allows:
- Read line item details from deals
- Access product names and prices
- View quantities and discounts
Why we need it:
- Calculate total deal amounts including line items
- Reference product information for invoices
- Display itemized totals
Data accessed:
- Line item properties:
name,price,quantity,amount - Product associations
- Discount information
What we DON’T do:
- ❌ Modify line items
- ❌ Create or delete line items
- ❌ Change prices or quantities
5. Quotes Read (crm.objects.quotes.read)
Permission Level: Read-only access to quotes
What it allows:
- Read quote data associated with deals
- Access quote amounts and titles
- View quote status (signed/unsigned)
- Read quote line items
Why we need it:
- Only create invoices from signed quotes
- Import quote amounts into invoices
- Display quote information in invoice creation
- Ensure invoice accuracy matches quoted amounts
Data accessed:
- Quote properties:
hs_title,hs_quote_amount,hs_status - Quote associations to deals
- Quote signature status
- Currency information
What we DON’T do:
- ❌ Modify quotes
- ❌ Change quote status
- ❌ Create or delete quotes
- ❌ Update quote amounts
6. Invoices Read (crm.objects.invoices.read)
Permission Level: Read-only access to invoice objects
What it allows:
- Read HubSpot invoice records (if you use them)
- Track invoice status in HubSpot
Why we need it:
- Future compatibility with HubSpot invoice objects
- Potential invoice status tracking
- Maintain consistency across invoice systems
Data accessed:
- Invoice properties in HubSpot
- Invoice associations
What we DON’T do:
- ❌ Create HubSpot invoices
- ❌ Modify invoice status
- ❌ Delete invoice records
Note: This integration creates invoices in QuickBooks, not in HubSpot’s invoice objects.
Security and Privacy
Data Handling
How we use your data:
- Data is read only when needed (e.g., when creating an invoice)
- No data is stored permanently on our servers
- API requests use secure HTTPS encryption
- OAuth tokens are encrypted and stored securely
Where data goes:
- HubSpot data → Our backend → QuickBooks API
- QuickBooks response → Our backend → HubSpot display
- No third-party sharing
- No data sold or used for marketing
Data Retention
- API Responses: Temporary, processed and discarded
- OAuth Tokens: Encrypted, stored securely, refreshed automatically
- User Preferences: Settings only (tax codes, product defaults)
- No Business Data: We don’t store your invoices, contacts, or deals
Compliance
- GDPR Compliant: Data processing follows GDPR guidelines
- HTTPS Only: All communication encrypted
- Token Security: OAuth tokens rotated and encrypted
- Audit Logs: All API calls logged for security
Scope Approval Process
Step-by-Step
- Click Install: On the HubSpot Marketplace listing
- Review Scopes: Read the list of requested permissions
- Understand Permissions: Reference this page for details
- Click Connect App: Approve the requested scopes
- Installation Complete: App is installed with approved permissions
What Happens After Approval
- OAuth access token is generated
- App can now make API calls to read HubSpot data
- CRM card is deployed to deal records
- Settings page becomes accessible
- You can configure QuickBooks connection
Can’t Approve Specific Scopes?
All scopes are required for the integration to function. If you cannot approve a scope:
- The integration will not install
- All features require all listed permissions
- Contact your HubSpot administrator if you lack permission to approve
Why All Scopes Are Required
| Scope | Required For |
|---|---|
oauth | Base authentication - absolutely required |
contacts.read | Customer sync and invoice recipient |
deals.read | Accessing deal data for invoice creation |
line_items.read | Calculating deal totals |
quotes.read | Importing signed quotes into invoices |
invoices.read | Future compatibility and status tracking |
Revoking Access
If you need to revoke the app’s access later:
- Go to Settings → Integrations → Connected Apps
- Find QuickBooks Invoicing
- Click Uninstall or Revoke Access
- Confirm the action
See our Uninstall Guide for more details.
Frequently Asked Questions
Can the app modify my HubSpot data?
No. All requested scopes are read-only. The integration cannot create, modify, or delete any records in HubSpot.
Does the app access all my contacts?
The app can read contact data only when needed (e.g., when creating an invoice). It doesn’t download or store your entire contact database.
What about sensitive contact information?
We only access basic contact fields needed for customer sync: name, email, phone, company, and billing address. We don’t access custom properties or sensitive data fields.
Can I grant only some of the permissions?
No. All listed scopes are required for the integration to function. It’s an all-or-nothing approval.
Can permissions be changed after installation?
Permissions are set during installation. To change them, you would need to uninstall and reinstall the app (though the same permissions would be requested).
Who can approve these scopes?
Only HubSpot Super Admin users can install apps and approve OAuth scopes.
Next Steps
- Install the app - Proceed with installation and approve scopes
- Verify installation - Confirm successful setup
- Connect to QuickBooks - Configure OAuth credentials
Additional Resources
- HubSpot OAuth Scopes Documentation
- OAuth 2.0 Security Best Practices
- Privacy Policy - Link to your privacy policy
- Terms of Service - Link to your terms of service