Is it possible to maintain long-lived sessions for multi-tenant Premium Apps without triggering immediate 401 Unauthorized errors during token refresh?
We are deploying a Genesys Cloud integration that serves multiple organizations via a single AppFoundry listing. The architecture relies on the standard OAuth2 authorization code flow with PKCE. While initial token acquisition succeeds consistently, the refresh token mechanism appears unstable for tenants with high API throughput.
Specifically, when our backend service attempts to rotate tokens using the /oauth/token endpoint, we receive intermittent failures despite the refresh token being valid and within its expiration window. The environment is set to us-east-1. The client application is registered with the admin and user scopes.
The response payload indicates a scope validation issue, which is unexpected given the static scope configuration:
{“error”: “invalid_grant”, “error_description”: “The provided authorization grant (e.g., authorization code, refresh token) or scope is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”}
Has anyone encountered similar scope mismatch errors during refresh cycles in a multi-org setup? We are using the Genesys Cloud SDK v5.3.0 for the integration logic.