Payload structure looks fine. Digital engine spits out a 400 anyway. Schema validation trips on the guest profile matrix. Rate limits don’t trigger since we’re capping at 5 req/s. Session token generation fires, but the atomic POST dies before the webhook callback logs anything. Input sanitization pipeline looks clean.
The suggestion above - checking the Authorization header - is a good starting point. We’ve seen similar 400 errors when the siteId doesn’t have the correct permissions assigned. It’s not just about the SCOPE, but also the role associated with the OAuth client.
Can you confirm which OAuth client you are using for this request? Is it a client created for a specific application, or a system client?
Also, the API documentation mentions a required attribute - conversationId. It’s possible the API expects it even for a new conversation. Try adding this to your payload.
Here’s an example payload, modified from the original post:
The optional-conversation-id is only needed when you want to continue a conversation. If it is a new conversation, can you test without it? I am curious if it changes the response. I recall a similar issue discussed in the community a few weeks ago, it was also related to missing attributes. Let me know if this helps.
We’ve seen issues where the client isn’t properly linked to the site ID - maybe a permissions problem? It’s a bit confusing, but check the role assignments.