ESHOPMANESHOPMAN Logo
Our Blog

HubSpot App Verification & AI Tools: Demystifying MCP Auth Apps and Write Access

HubSpot App Verification & AI Tools: Demystifying MCP Auth Apps and Write Access

Hey ESHOPMAN community! As experts living and breathing HubSpot and e-commerce, we know that integrating powerful tools into your CRM is key to scaling your business. Lately, there's been a lot of buzz around AI, and many of you are looking to connect custom AI solutions directly into HubSpot. But what happens when you build a cutting-edge AI tool using HubSpot's new MCP Auth App framework, only to hit a wall with verification, distribution, and even fundamental capabilities like write access?

That's exactly the challenge a community member recently grappled with in the HubSpot Community, and their detailed questions sparked a crucial discussion that sheds light on the evolving landscape of HubSpot's app platform. Let's dive into their journey and what we can learn about building and deploying apps on HubSpot today.

The Quest for Verification: MCP Auth Apps and the 'Unverified' Banner

The original poster built an impressive AI tool, connecting it to HubSpot via an MCP Auth App created through the self-service flow. This uses the official Remote MCP Server with OAuth 2.1 + PKCE, which is the modern, secure way to do things. However, they immediately ran into a common developer headache: a banner warning that their app was 'not verified.' This led to a series of pressing questions:

  • How do MCP Auth Apps become verified, especially since the standard Marketplace listing flow seemed to apply to other app types?
  • Does the 25-install cap for unlisted apps apply here, and if so, is it per user or per HubSpot account?
  • What’s the intended path for verification and distribution for these specific apps?

The urgency was palpable, with the poster aiming for a customer launch within a week. This highlights a critical need for clear documentation and pathways from HubSpot for developers leveraging their latest frameworks.

Cracking the Code: Verification Path Revealed

While the community moderators were busy tagging experts, the original poster did some digging and found a crucial piece of the puzzle themselves. Good news! They discovered that MCP Auth Apps do appear in the Marketplace listing flow under 'App Listings.' This means that, despite initial confusion, the standard process for submitting a listing applies for verification.

Actionable Takeaway: If you're building an MCP Auth App and are concerned about verification, rest assured that the path forward involves submitting a listing through the standard App Listings interface within your HubSpot developer account. This will require meeting HubSpot's listing requirements, including security reviews and providing clear documentation for your app.

The Lingering Questions: Distribution Limits and the Write Access Hurdle

Even with the verification path clarified, two major questions remained from the original post, and a couple of new, critical ones emerged:

1. The 25-Install Cap for Unlisted Apps

The original poster still needed to know if the 25-install cap for unlisted apps applies to MCP Auth Apps. This is a big deal for any developer starting out. Hitting a cap quickly can halt your distribution strategy and make testing with a larger user base impossible without full verification.

2. The Critical Write Access Gap for Third-Party Apps

This is where things get really interesting – and potentially frustrating for developers. The original poster observed that HubSpot's own first-party connectors for AI tools like Claude and ChatGPT have access to manage_crm_objects (meaning they can write data to HubSpot CRM). However, their third-party MCP Auth App only received read tools.

This raises a fundamental question about the capabilities of third-party MCP Auth Apps: Is write access on the roadmap? For many AI tools, simply reading data isn't enough; they need to update records, create tasks, or log activities based on their insights. This limitation could severely restrict the utility of third-party AI integrations built on this framework.

While building a mobile storefront with tools like vajro shopify might offer straightforward write capabilities, integrating sophisticated AI tools that need to write back to a CRM like HubSpot presents unique, and currently limited, challenges on the MCP Auth App platform.

3. Alternative Paths if Write Access Isn't Coming Soon

If write access isn't in the near-term plans for third-party MCP Auth Apps, the original poster considered an alternative: building a separate public app with explicit CRM write scopes and calling the REST API directly. This brings up another important architectural question for HubSpot developers:

  • For a pure OAuth + API integration with no UI inside HubSpot, what's the recommended path – a 'Legacy App' (often referred to as a 'Public App' or 'Private App' in the developer portal) or a 'Project' (platform v2025.2+)?

Our Expert Take: For pure OAuth and API integrations that don't embed UI elements within the HubSpot interface (like CRM cards or UI extensions), the 'Public App' or 'Private App' path (which is the evolution of what was once called 'Legacy App') is generally the way to go. HubSpot's 'Projects' framework is primarily designed for apps that intend to extend the HubSpot UI, leverage serverless functions directly within HubSpot, or build more complex, multi-component applications. If your AI tool simply needs to read and write data via the API, a standard Public/Private App offers the necessary scopes without the overhead of the Projects framework.

ESHOPMAN Team Comment

The ESHOPMAN team believes the original poster hit on a critical pain point for developers pushing the boundaries with AI and HubSpot. It's concerning to see third-party MCP Auth Apps currently limited to read-only access while HubSpot's own first-party tools have full write capabilities. This creates an uneven playing field and significantly hampers the innovation external developers can bring. HubSpot needs to provide clearer guidance on distribution limits and a concrete timeline for opening up write access for third-party MCP Auth Apps to truly empower its developer ecosystem.

The Road Ahead for HubSpot Developers

This community discussion perfectly illustrates the dynamic nature of platform development. While HubSpot is rapidly evolving its tools, especially for AI, there are often gaps in documentation and feature parity that developers must navigate. For RevOps professionals and marketers running stores with HubSpot, understanding these nuances is crucial when evaluating or planning custom integrations.

Keep an eye on the HubSpot developer changelog and community forums. As more developers leverage these new frameworks, the clarity and capabilities are bound to improve. In the meantime, planning your app architecture carefully, understanding the current limitations, and choosing the right app creation path (Public App for pure API, Project for UI extensions) will be key to successful HubSpot integrations.

Share: