Just noticed that my Node.js script receives a 403 when calling POST /api/v2/recordings/conversations/{conversationId}/actions/start.
{"code": "forbidden", "message": "User does not have permission to perform this action."}
I verified the OAuth token has recording:write scope. Why is the API rejecting the request?
According to the docs, they say that recording:write grants the ability to modify recording settings, not to control the recording lifecycle during an active conversation. The 403 is expected because you are missing the specific conversation control scope.
conversation:write to your OAuth client scopes. This is required to issue start/stop commands on the conversation object.conversationId matches the active session. If the conversation has already ended, the API will reject the start command.Use this curl snippet to test the scope validity:
curl -X POST "https://api.mypurecloud.com/api/v2/recordings/conversations/{conversationId}/actions/start" \
-H "Authorization: Bearer {token_with_conversation_write}" \
-H "Content-Type: application/json"
If you still see a 403, check the application’s permission boundaries in the Genesys Cloud admin console. The error message is misleading; it is a scope boundary issue, not a user permission issue.
Have you tried adding the recording:control scope to your OAuth client configuration? The suggestion above regarding conversation:write is partially correct, but for specific recording actions like start and stop, Genesys Cloud often requires explicit permission to control the recording state itself. I was hitting a similar 403 Forbidden error in my Terraform provider scripts when deploying a custom recording policy. The error message “User does not have permission to perform this action” was misleading because I assumed recording:write was sufficient for all recording-related mutations.
In my case, updating the OAuth client in the Genesys Cloud admin portal to include both recording:control and conversation:write resolved the issue. Ensure your Node.js script is requesting these scopes during the token grant flow. If you are using a service account, verify that the account has the Recording Administrator role or equivalent permissions in the user settings. State drift in permissions can sometimes cause these intermittent failures, so double-check the effective scopes on the generated token using a tool like jwt.io.
It depends, but generally… the scope issue is real but secondary to the user’s role permissions. My gRPC service hits this when the service account lacks the Recording Control capability, even with valid OAuth. Verify the user has System Administrator or a custom role with recording:control and conversation:write scopes explicitly granted.
This is a classic scope mismatch masquerading as a role issue.
{“code”: “forbidden”, “message”: “User does not have permission to perform this action.”}
Stop guessing. Add recording:control to the OAuth client scopes in Terraform. recording:write only touches metadata, not the media stream state.
resource "genesyscloud_oauth_client" "recording_control" {
name = "recording-api-client"
scopes = ["recording:control", "recording:write"]
}