Briefing Doc: Declarative Optional Scopes for Public Apps - HubSpot API Update

Date: October 21, 2024

Subject: Mandatory Update for Public App Scope Declaration

Summary: This document reviews the upcoming changes to HubSpot's API, specifically regarding the declaration of optional scopes for public apps. Starting October 21, 2024, self-selection for declaring optional scopes will be disabled, requiring developers to adopt new advanced settings for managing app permissions.

Key Points:

• Mandatory Transition: All public app developers must transition to the new advanced auth settings and explicitly define required, optional, and conditionally required scopes for their applications. Failure to comply by October 21, 2024 will result in the app becoming unavailable for installation by customers.
• Enhanced Security and Installation Process: This update is primarily driven by a need to enhance security for public apps and improve the app installation experience from the HubSpot App Marketplace.
• Dynamic Permission Requests: While enforcing stricter scope management, the new settings retain the ability for apps to dynamically request specific permissions based on factors like tiered features or user-controlled functionality.
• Universal Impact: This update affects all HubSpot hubs and tiers, underscoring its significance for the entire developer ecosystem.

Key Quotes:

• "We are disabling the option for developers to self-select into declaring optional scopes on October 21, 2024." This statement emphasizes the mandatory nature of the update and the firm deadline for compliance.
• "These new settings ensure that all of the permissions that an app may request are controlled in the settings for the app, while still allowing apps to dynamically request specific permissions depending on things like tiered features or user controlled functionality." This clarifies the dual objectives of enhancing security through controlled permissions while preserving flexibility in dynamic permission requests.

Call to Action:

All developers of public HubSpot apps are urged to review the detailed information provided in the Developer Changelog post: "Advanced auth and scope settings for public apps". This resource will offer technical guidance on implementing the new advanced settings and properly defining the scopes required by their applications.

Potential Impact:

• Improved Security Posture: The enforced scope management will mitigate potential risks associated with overly permissive app access.
• Streamlined App Installation: Clearly defined scopes will lead to a more transparent and user-friendly installation process for customers.
• Increased Developer Responsibility: Developers will assume greater responsibility in meticulously managing and declaring the scopes required by their apps.

Next Steps:

• Familiarize yourself with the updated scope management system and advanced auth settings.
• Review the "Advanced auth and scope settings for public apps" Developer Changelog post.
• Update your public app's scope definitions in accordance with the new requirements before the October 21, 2024 deadline.

This briefing document serves as an overview of the upcoming changes. Developers are strongly encouraged to consult the official HubSpot documentation and developer resources for comprehensive technical details and implementation guidance.