TabCalendar Scopes and Permissions

Applies to version/build: TabCalendar Production (controlled access) docs baseline (updated February 19, 2026; see changelog)

This page summarizes TabCalendar’s HubSpot OAuth scopes and the feature areas that depend on them.

If you’re doing a least-privilege review, start here and keep the scope discussion tied to shipped behavior.

Principles

Least privilege: request only scopes required for shipped behavior.
Company-centric model: availability planning is anchored to Company context.
Change discipline: scope changes should ship with docs updates and changelog entries.

Scope name	Why it is needed	Feature dependency
`oauth`	Required for install authorization and token lifecycle.	App install and authenticated HubSpot API access.
`crm.objects.companies.read`	Reads Company record context and mapped calendar data.	Company-centric calendar rendering and context resolution.
`crm.objects.companies.write`	Included in the app’s default CRM write scope set for Company-context write/association operations.	Company-linked create flows and association writes.
`crm.objects.contacts.read`	Used for HubSpot engagement/notes authorization paths.	Note-related reads where applicable.
`crm.objects.contacts.write`	Used for HubSpot engagement/notes write paths.	Calendar-triggered Note creation flows.
`crm.objects.deals.read`	Reads Deal data for mapped date layers and calendar overlays.	Deal layer rendering in yearly calendar view.
`crm.objects.deals.write`	Creates/updates deal data from day-level actions.	Calendar-triggered deal creation flows.

Workflow Action metadata exists, but the Workflow Action remains unpublished.
Google integration is import-focused and does not claim bidirectional sync.
HubSpot deploy rejects `crm.objects.notes.*` as unrecognized scopes; TabCalendar uses contacts scopes for notes/engagement authorization.
ICS subscription feeds are optional and may be disabled by default.

If install/auth fails or your security review needs scope clarification, send support: