This guide is for IT and security teams evaluating Bliro's integration with HubSpot. It covers the authentication model, the permissions Bliro requests during consent, and how Bliro enforces tool-level permissions through its AI agents.
Overview
Bliro connects to HubSpot using user-delegated OAuth 2.0. Bliro acts on behalf of the signed-in user and cannot perform any action in HubSpot that the user themselves is not permitted to perform. The integration is delivered through Bliro's HubSpot Public App.
Public App name: Bliro - AI for your Meetings
How the Integration Works
When a user connects HubSpot in Bliro, the following happens:
Bliro initiates an OAuth 2.0 authorization request against
app.hubspot.com/oauth/authorize.The user signs in to HubSpot, selects the HubSpot account to connect, and approves the requested scopes.
HubSpot issues an access token and a refresh token bound to the user, the Bliro app, and the selected HubSpot account.
Bliro uses the access token to call the HubSpot CRM API on the connected account on behalf of that user.
When the access token expires, Bliro silently refreshes it using the refresh token until the user disconnects or an administrator uninstalls the app.
All HubSpot requests are subject to the user's own identity and HubSpot user permissions. Bliro never holds an integration-user or application-level credential against your HubSpot account.
Prerequisites
The user has access to the relevant HubSpot account and the HubSpot user permissions needed for the CRM objects they want Bliro to read or write (Contacts, Companies, Deals, Tickets, etc.).
Your HubSpot account permits installation of the Bliro Public App. If your HubSpot Super Admin has restricted who can install apps, an administrator must permit the user (or install the app account-wide) before the user can complete the OAuth flow.
The user is signed in to Bliro.
Setup: Connecting Bliro to HubSpot
In Bliro, open Integrations and select HubSpot.
Click Connect. Bliro redirects you to the HubSpot sign-in page.
Sign in with your HubSpot credentials and choose the HubSpot account you want to connect.
Review the requested permissions and approve the connection. The requested permissions are listed in detail in the next section.
Bliro redirects you back to the integration page.
Configure the Tools & Permissions that Bliro is allowed to use on your behalf.
Requested Permissions (OAuth Scopes)
During consent, Bliro requests exactly the following nine scopes for the HubSpot integration. Each is listed below with its purpose and justification.
Scope | Justification |
oauth | The foundational HubSpot OAuth scope. Required for OAuth 2.0 authentication with HubSpot and to identify the user-app pairing within the connected HubSpot account. Does not grant any additional data access on its own. |
crm.objects.companies.read | Reads Company records. Used to brief the user on company context before a meeting and to resolve company names mentioned in conversation to the correct Company. Read-only. |
crm.objects.companies.write | Creates and updates Company records. Required for the Create Company and Update Company tools – for example, logging a new account captured during a meeting or updating a company's properties after a call. Bliro cannot create or modify records the user's own HubSpot permissions would not allow. |
crm.objects.contacts.read | Reads Contact records. Used to brief the user on a contact before a meeting and to resolve names mentioned in conversation to the correct Contact. Read-only. |
crm.objects.contacts.write | Creates and updates Contact records. Required for the Create Contact and Update Contact tools – for example, logging a new contact captured during a meeting or updating a contact's role after a call. |
crm.objects.deals.read | Reads Deal records. Used to surface open deals and pipeline stage before a customer meeting and to attach deal context to post-meeting follow-ups. Read-only. |
crm.objects.deals.write | Creates and updates Deal records. Required for the Create Deal and Update Deal tools – for example, creating a new opportunity captured during a discovery call or advancing the deal stage after a meeting. |
crm.objects.owners.read | Reads HubSpot Owner records (HubSpot users who can be assigned to CRM objects). Lets Bliro resolve an owner mentioned by name to the correct HubSpot user when assigning records, and correctly attribute newly created records. Read-only. |
tickets | Provides read and write access to HubSpot Service Hub Tickets. Used to surface open tickets relevant to a customer before a meeting and to create or update tickets when the user explicitly requests it through a configured Tool. As with all write operations, the user's HubSpot permissions are applied on each call. |
Tools and Permissions
Even with the CRM scopes granted, Bliro does not perform any HubSpot operation by default. Each individual action Bliro can take, for example Read Contact, Create Company, or Update Deal, is modeled as a tool with its own permission level, configured by an organization administrator.
For HubSpot, administrators can also create custom tools by selecting any HubSpot CRM object; Bliro then automatically generates the corresponding Read, Create, and Update tools for it.
For a full explanation of the tool model, permission levels, the Ask for Permission flow, and how Bliro enforces denied tools, see AI Tools and Permissions.
Security Considerations
User-delegated only. Bliro never holds an integration-user or application-level credential against your HubSpot account. Every API call is authenticated as the user, and HubSpot applies that user's permissions, team membership, and – where licensed – property-level access on each request.
Token storage. Refresh tokens are stored encrypted at rest. Access tokens are short-lived and held only for the duration of an operation.
Auditability in HubSpot. Because Bliro acts as the user, every read and write is attributed to that user in HubSpot (Created By / Last Modified By properties, per-property history, and – where licensed – Account Activity History), making activity reviewable through native HubSpot tooling.
Account-level security policies. Any account-level security policy your HubSpot Super Admin enforces (SSO, 2FA, session settings, and IP allowlisting where available) applies equally to Bliro's calls.
Disconnecting and Revoking Access
Users can disconnect HubSpot at any time from the integration screen in Bliro by clicking Disconnect. This deletes the refresh token from Bliro's side and ends Bliro's ability to call HubSpot on the user's behalf.
In addition, a HubSpot administrator can revoke Bliro's access account-wide via Settings → Integrations → Connected Apps, where the Bliro app can be uninstalled or have its access removed.
IT Security Material
For Bliro's broader approach to security and privacy, see our Trust Center.
Contact and Help
Questions about the HubSpot integration, scope justifications, or central administration? Contact [email protected].