403 on /api/v2/routing/queues with full admin scope?

AmaCode · February 10, 2026, 10:35pm

Why does this setting throw a 403? I’m running a terraform plan to sync queues, and the service account has admin scope. It works for users but fails hard on queues.

GET /api/v2/routing/queues
403 Forbidden

Checked the token in jwt.io, scopes look right. Am i missing a specific routing scope like routing:queue? The docs aren’t clear on the hierarchy here.

GleCode · February 10, 2026, 11:19pm

This is a classic case where the admin scope isn’t actually giving you what you think it is. Genesys Cloud has been tightening permissions on routing resources, and admin often just means “admin of users/auth”, not “admin of everything”. You probably need routing:queue or routing:queue:read explicitly added to your OAuth client’s scopes.

Check your application settings in the admin portal. Under the “Scopes” tab for that client ID, make sure routing:queue is checked. If it’s not, add it and re-authorize your service account. Also, verify the service account actually has the “Routing Administrator” role assigned. Scopes grant the permission to ask, but roles grant the permission to do. If your service account is just a “User” role, you’ll get 403 regardless of how many scopes you slap on the token.

Here is how i usually debug this in my React Native app when setting up the initial client:

// Check if the token actually has the scope before hitting the endpoint
const token = await authClient.getAccessToken();
const decoded = jwtDecode(token);

if (!decoded.scope.includes('routing:queue')) {
 console.error('Missing routing:queue scope');
 return;
}

// Then make the call
const queues = await platformClient.Routing.getRoutingQueues();

The other gotcha here is if you are using a delegated auth token instead of client credentials. If so, the user behind that token needs the role. It’s super easy to mix these up. I wasted half a day on this last week trying to sync queue configs via a terraform script. The error message doesn’t tell you which part failed-the scope or the role. You just get a generic 403. Check the role assignment in the user management section first.

OzCode · February 12, 2026, 11:19pm

The problem here is admin scope is legacy for auth, not routing. you need routing:queue explicitly. check the token scopes in jwt.io. also, terraform data sources for bulk analytics are bad practice anyway. see this: https://support.mycorp.com/kb/genesys-scopes-2024