OAuth User-Agent Flow implementation with HubSpot returns error after authentication

Hi everyone,

I’m setting up a HubSpot OAuth integration with my Bubble app, using the standard API Connector and redirect flow. After authenticating with HubSpot, I get redirected back to my app but receive an error page instead of a successful connection. I feel like I’ve tried a million things, usually resulting in a blank 400 message. But the latest attempt has given me this error:

Error message:

API Connector error: the Oauth2 API HubSpot OAuth is not configured properly – Received error from api The service this service just returned an error (HTTP 403).

[Followed by a CloudFront error page: “The request could not be satisfied. This distribution is not configured to allow the HTTP request method that was used…”]

I’ve attached screenshots of the error message and the HTML returned.

Details:

  • App is on Bubble (no direct CloudFront or server access)
  • All HubSpot and Bubble OAuth settings (redirect URI, client ID/secret) match documentation
  • The error only appears after HubSpot redirects back to my app on /api/1.1/oauth_redirect

Has anyone else run into this? Is there something I need to adjust in Bubble’s API/config to allow the redirect, or is this a Bubble/server-side issue I should ask support about? Any tips would be very appreciated!

Thanks in advance for any help.

This is my setup in my HS public app:

This is my setup in the Bubble API connector:

The access_token endpoint for url info will not work because Hubsport request you to send the token in the url (something that Bubble will not do).

I’m not sure if there’s another endpoint you can use for that

1 Like

This doesn’t works in bubble,

Call this url format from bubble for oauth2

https://app-eu1.hubspot.com/oauth/authorize?
client_id=YOUR_CLIENT_ID_HERE&
redirect_uri=https://orgdata.no/api/1.1/oauth_redirect&
scope=crm.objects.companies.read crm.objects.companies.write oauth

This will give the code

Then call the token api to get the token

POST
https://api.hubapi.com/oauth/v1/token
Content-Type: application/x-www-form-urlencoded

Parameters

grant_type=authorization_code
client_id=YOUR_CLIENT_ID
client_secret=client_secret
redirect_uri=redirect_uri

2 Likes

Thank you so much for your reply, @rishabh2810ag. I tried to set it up manually, but now I get an “Invalid state from oauth provider” error.

Thanks, @Jici

My errors makes a bit more sense now, I’ve been at this for days. I’ve tried to set it up manually with API requests, but it gives me an error about the state.

And also, by doing it manually, I would need to uncheck the “private” checkbox for the token parameter so that I could dynamically populate it with the returned token, which makes me think this would be a very unsecured solution.

If you are talking about the access token you will get, this should be managed by privacy rules and not an issue for security because the access_token belong to the current user. So even if this user can see is own access token, this is not a problem but you need to be sure to set your privacy rules so only the owner of the access_token can see it.