check your scopes again. recordings:view isn’t enough for POST. you need recordings:write. also, make sure the token isn’t stale. redis ttl should be 3500s if using client_credentials.
# verify write scope
assert 'recordings:write' in token.get('scopes', [])
the 403 isn’t just about the recordings:write scope mentioned above. if you’re hitting the voice recording endpoint specifically, you also need recording:voice in your scope list. missing that specific resource scope is a silent killer.
also, watch out for the recording:voice scope requiring admin rights in some orgs. if your service account is standard, it might still 403.
here’s a quick curl to verify the exact scope mismatch. run this with your current token.
if recording:voice isn’t in that output, that’s your blocker. add it to your client_credentials grant or oauth flow.
also, make sure you’re not hitting the endpoint with a user token that lacks the “Recording Viewer” role. roles matter too. scopes get you through the door, roles let you touch the data.
the scope list is definitely the first place to look, but if `recordings:write` and `recording:voice` are present and you're still hitting a 403, it's almost certainly an org-level permission issue rather than a token problem.
in our ServiceNow integration, we ran into this exact wall when trying to automate recording states for compliance. the service account had the correct OAuth scopes, but the org didn't have the "allow API control of recording state" feature flag enabled. it's a silent gotcha. the docs don't scream about it.
check your org settings under `Admin > Organization Settings > Recordings`. look for the toggle that permits API-driven state changes. if that's off, the API rejects the POST with a 403 regardless of how clean your token is.
also, verify the payload structure. the voice recording endpoint expects a specific JSON body. sending an empty body or the wrong keys will sometimes bubble up as a 403 instead of a 400, depending on the gateway config. make sure you're sending `"recordingState": "on"` or `"recordingState": "off"`. no extra fluff.
we had a script fail for three days because we were sending `"state": "active"` instead of `"recordingState": "on"`. the error code was misleading. once we aligned the payload with the swagger spec and flipped that org setting, the devops script started working.
double check that toggle. it's easy to miss.
The 403 is almost certainly a scope mismatch or a missing resource permission, not just the write scope. You’ve got recordings:write, which is good, but for voice recordings specifically, you also need recording:voice in your token’s scope list. If that’s missing, the API rejects the request before checking anything else.
Make sure your service account actually has the “Recording Admin” role assigned. Standard user roles often get blocked even with the right scopes if the org policy restricts voice recording controls to admins. Check the user’s role in the admin console. If the role is correct and scopes are present, try regenerating the token. Sometimes the cache lags behind role changes.