Quick question about the OAuth consent flow for multi-tenant AppFoundry integrations. We are deploying a premium analytics app that aggregates conversation metrics across several secondary Genesys Cloud organizations. The primary tenant authentication succeeds without issue, but the token exchange for secondary tenants consistently fails with a HTTP 403 Forbidden error. The response payload indicates a scope mismatch, specifically regarding the analytics:report:view permission, even though the application manifest explicitly requests this scope during the initial setup in the AppFoundry partner center.
The integration uses the standard PKCE flow with a backend service acting as the client. We have verified that the application user in the secondary tenants has the correct administrative role assigned. The error occurs specifically when the backend attempts to refresh the access token for the secondary tenant using the authorization code.
- Verified that the application manifest in the AppFoundry partner center includes the
analytics:report:viewscope and that the scope is approved by the Genesys Cloud admin in the secondary tenant. - Confirmed that the client ID and client secret used in the token exchange request match the credentials generated for the specific secondary tenant integration instance.
Has anyone encountered similar scope validation issues when scaling multi-tenant integrations? Are there additional compliance checks or explicit consent steps required for secondary tenants that are not documented in the standard AppFoundry onboarding guide?