PressKit Scopes and Permissions

Applies to version/build: PressKit docs v1 baseline (released February 16, 2026; see changelog for updates)

This page summarizes PressKit’s HubSpot OAuth scopes and the feature areas that depend on them.

If you’re doing a least-privilege review, start here and keep the scope discussion tied to shipped behavior.

What these scopes enable (at a glance)

Install authorization and token lifecycle (`oauth`).
Read and write Company properties for profile/publish state (`crm.objects.companies.read`, `crm.objects.companies.write`).
Upload images/documents using HubSpot Files API mode (`files`).

Least privilege: request only permissions required for shipped behavior.
Company-first scope model: behavior is centered on one EPK profile per HubSpot Company record.
Publish and media controls are enforced with explicit validation guardrails.
Scope changes should ship with public documentation updates and changelog entries.

Scope name	Why it is needed	Feature dependency
`oauth`	Required for install authorization and token lifecycle.	App install and authenticated HubSpot API access.
`crm.objects.companies.read`	Reads source Company data and current EPK profile fields.	Loading profile/editor state safely.
`crm.objects.companies.write`	Writes EPK profile fields, publish state, and related metadata.	Saving and publishing profile changes.
`files`	Required when media upload mode uses HubSpot Files API.	Image/document upload lifecycle.

PressKit is not a read-only tool; it writes Company properties to save profile and publish state.
If the `files` scope cannot be granted, image/document uploads cannot work in the HubSpot Files API mode.
Scope changes should be treated as behavior changes and documented accordingly.

If install/auth fails or your security review needs scope clarification, send support: