DupliCat Scopes and Permissions
Last updated: March 18, 2026 (America/Los_Angeles)
Applies to version/build: DupliCat v0.1.6 (released February 16, 2026)
This page is the operator-facing scope map for DupliCat.
Source of truth: the DupliCat HubSpot app metadata (requiredScopes). Current required scope set: 28 scopes.
Principles
- Least privilege: request only scopes required for shipped clone + settings behavior.
- Single source of truth: this page is maintained as the customer-facing scope reference for reviews and approvals.
- Template management is portal-local configuration and does not require additional HubSpot OAuth scopes.
- Capability alignment: this scope set covers record-view cloning, workflow action cloning, duplicate count control (`1-10`), template defaults (portal defaults and personal defaults), enhanced overrides, name prefix behavior, broad object-family support, and related activity copying.
- Ephemeral data handling: CRM record data is processed in server memory for the duration of the clone request. Property values are never written to disk, cached, or logged. See [Privacy](/privacy) for details.
- No optional or conditional scopes are requested in the current release.
- No data selling: CleverCat does not sell customer data.
- Retention and deletion: see [Privacy](/privacy) for storage/retention and [Support](/support) for portal-level deletion requests.
Capability alignment
This scope set supports deals, contacts, companies, tickets, orders, projects, quotes, activity objects, and custom objects across the current record sidebar/preview surfaces, workflow action cloning, deal line_items deep-clone behavior, related activity copying (notes, tasks, calls, meetings, emails), Number of duplicates controls (1-10), templates, portal defaults, personal defaults, enhanced overrides, and the [Duplicate] name prefix contract.
Scope justification table
| Scope name | Why it is needed | Feature dependency | Data touched |
|---|---|---|---|
oauth | Required for OAuth install, token exchange, and token refresh lifecycle. | Install and authenticated API access fail without it. | OAuth grant, access token, refresh token metadata. |
crm.objects.contacts.read | Read source contact values and selected associations before clone construction. | Contact clone payload cannot be built safely. | Contact properties and associated record IDs. |
crm.objects.contacts.write | Create cloned contact records and apply writable property values. | Contact clones cannot be created. | New contact properties and association links. |
crm.objects.companies.read | Read source company values and selected associations before clone construction. | Company clone payload cannot be built safely. | Company properties and associated record IDs. |
crm.objects.companies.write | Create cloned company records and apply writable property values. | Company clones cannot be created. | New company properties and association links. |
crm.objects.deals.read | Read source deal values and selected associations before clone construction. | Deal clone payload cannot be built safely. | Deal properties and associated record IDs. |
crm.objects.deals.write | Create cloned deal records and apply writable property values. | Deal clones cannot be created. | New deal properties and association links. |
crm.objects.orders.read | Read source order values and selected associations before clone construction. | Order clone payload cannot be built safely. | Order properties and associated record IDs. |
crm.objects.orders.write | Create cloned order records and apply writable property values. | Order clones cannot be created. | New order properties and association links. |
crm.objects.projects.read | Read source project values and selected associations before clone construction. | Project clone payload cannot be built safely. | Project properties and associated record IDs. |
crm.objects.projects.write | Create cloned project records and apply writable property values. | Project clones cannot be created. | New project properties and association links. |
crm.objects.quotes.read | Read source quote values and selected associations before clone construction. | Quote clone payload cannot be built safely. | Quote properties and associated record IDs. |
crm.objects.quotes.write | Create cloned quote records and apply writable property values. | Quote clones cannot be created. | New quote properties and association links. |
sales-email-read | Read source email content and metadata for email activity cloning and related activity copying. | Email clone payload cannot be built; related activity email copying fails. | Email body content, headers, and metadata during clone construction. |
automation | Required for HubSpot workflow action registration and workflow enrollment runtime context. | Workflow action entry path is unavailable without it. | Workflow action execution metadata and runtime linkage context. |
tickets | Read source ticket values and create cloned ticket records (including ticket-related associations in clone flows). | Ticket clone payload construction and ticket clone creation fail. | Ticket properties, association IDs, and ticket metadata used during clone operations. |
crm.objects.line_items.read | Read source line items when deal clone includes line-item association handling and deep-clone paths. | Line item association handling and deep-clone input loading fail. | Line item properties tied to source deal line items. |
crm.objects.line_items.write | Create cloned line item records and associate them to cloned deals during deep clone. | Deep-cloned line items cannot be created. | New line item properties and cloned associations. |
crm.objects.custom.read | Read source custom object values and selected associations before clone construction. | Custom object clone payload cannot be built safely. | Custom object properties and associated record IDs. |
crm.objects.custom.write | Create cloned custom object records and apply writable property values. | Custom object clones cannot be created. | New custom object properties and association links. |
crm.schemas.contacts.read | Resolve writable/unique/contact schema constraints before writing clone payloads. | Writable filtering and safe field handling degrade. | Contact property metadata (schema only). |
crm.schemas.companies.read | Resolve writable/unique/company schema constraints before writing clone payloads. | Writable filtering and safe field handling degrade. | Company property metadata (schema only). |
crm.schemas.deals.read | Resolve writable/unique/deal schema constraints before writing clone payloads. | Writable filtering and safe field handling degrade. | Deal property metadata (schema only). |
crm.schemas.orders.read | Resolve writable/unique/order schema constraints before writing clone payloads. | Writable filtering and safe field handling degrade. | Order property metadata (schema only). |
crm.schemas.projects.read | Resolve writable/unique/project schema constraints before writing clone payloads. | Writable filtering and safe field handling degrade. | Project property metadata (schema only). |
crm.schemas.quotes.read | Resolve writable/unique/quote schema constraints before writing clone payloads. | Writable filtering and safe field handling degrade. | Quote property metadata (schema only). |
crm.schemas.line_items.read | Resolve writable/line-item schema constraints for deep-clone line item creation. | Deep-clone line item payload filtering degrades. | Line item property metadata (schema only). |
crm.schemas.custom.read | Resolve writable/unique/custom object schema constraints before writing clone payloads. | Writable filtering and safe field handling degrade. | Custom object property metadata (schema only). |
Boundary notes
- The scope set supports cloning for Deals, Contacts, Companies, Tickets, Orders, Projects, Quotes, Activity Objects, and Custom Objects.
- Deal `line_items` support requires line item read/write + schema read scopes.
- Related activity copying (notes, tasks, calls, meetings, emails) is supported for source records that have associated activities.
- Workflow cloning requires `automation`.
- Email activity cloning requires `sales-email-read`.
- No scopes are requested for attachments or marketing assets.
If your security team needs endpoint-level mapping before approval, contact support@clevercat.app with your portal ID.
Support intake checklist
If your scope review or install flow fails, contact support with:
- Portal ID
- The install timestamp with timezone
- A screenshot of the scope consent screen (if available)
- Any error text you see (copy/paste)