Following First PoC of TeamMentor integration with HubSpot here is the brief agreed with Justin (a developer I found in elance.com)
The initial access token will be created manually and the refresh token saved in a secure place on the server. When the access token expires, the refresh token will be used to obtain a new one automatically. For security the refresh token will be securely stored on the server in one of the available private repositories. The OAuth token will have the predefined HubSpot scope of "contacts-rw" which has read and write capabilities on contacts only.
I really like the idea of using OAuth in the backend like this (to send new user data from TeamMentor into HubSpot).
I would prefer if HubSpot had a contracts-w or contracts-c permission where it was only possible to write or create contacts (and be able to see all contact data).
That said, contracts-rw is better than all-rw :)