AppFoundry Premium App: OAuth Token Refresh 403 on Multi-Org Endpoint

Administration
1

Encountering a 403 Forbidden response when attempting to refresh an OAuth access token for a secondary tenant within a multi-org AppFoundry integration. The initial authorization code grant succeeds, but the token refresh endpoint (/api/v2/oauth/token) rejects the request with the following payload:

{
 "message": "Access denied. The client does not have permission to access this resource.",
 "status": 403
}

This behavior is inconsistent. The primary tenant’s tokens refresh without issue. The client ID and secret are correct, as verified by successful initial grants. We are using the Genesys Cloud JavaScript SDK v4.2.1 for the underlying HTTP calls. The App is deployed as a Premium App with the integration:manage scope.

Our configuration for the OAuth client is as follows:

oauth_config:
 client_id: "prod_app_client_xyz"
 scopes:
 - "integration:manage"
 - "user:read"
 multi_org_enabled: true
 token_endpoint: "/api/v2/oauth/token"

Is there a specific limitation on token refresh rates or scope inheritance for secondary tenants in multi-org setups? The API rate limits appear well within the acceptable threshold (approx. 10 req/min per tenant). Any insights on why the refresh token is being invalidated or rejected specifically for the sub-tenant context would be appreciated.

2

This seems like a classic scope mismatch in the multi-tenant setup. when you are dealing with appfoundry premium apps across different orgs, the oauth client id generated for the primary tenant does not automatically carry permissions for the secondary tenants. the 403 error specifically points to the client lacking the necessary resource access rights, not necessarily a bad token.

you need to verify that the service account associated with the refresh request has the correct role assignments in the secondary tenant. in my experience with servicenow integrations, this often happens when the initial auth code was captured correctly, but the underlying application permissions were not replicated or granted in the target org. check the /api/v2/oauth/clients endpoint to ensure the client exists and is active in the secondary tenant context. if it is missing, you will need to register the app there explicitly and ensure the redirect uri matches exactly. also, double-check that the grant type is set to refresh_token and that the client secret is valid for that specific tenant instance.