Choosing the Right OAuth Grant: Client Credentials vs Authorization Code for Server-Side Reporting
What You Will Build
- This tutorial demonstrates how to implement both the Client Credentials and Authorization Code grant types to authenticate server-side reporting applications against Genesys Cloud and NICE CXone.
- You will build a Python script that fetches conversation analytics using the correct token flow based on your application architecture.
- The code uses Python 3.10+ with the
requestslibrary and official SDKs where applicable, focusing on the HTTP mechanics of the OAuth flows.
Prerequisites
- Genesys Cloud: A PureCloud Developer App with
adminorread:analyticsscopes enabled. - NICE CXone: An API Key or OAuth Client ID/Secret with
analyticspermissions. - Runtime: Python 3.10 or higher.
- Dependencies:
requests,python-dotenv,purecloud-platform-client(for Genesys SDK examples).
Authentication Setup
The core decision in server-side reporting is whether your application acts on behalf of a specific user (delegated access) or on behalf of the application itself (machine-to-machine).
The Client Credentials Grant (Machine-to-Machine)
Use this grant when your application runs as a background service, cron job, or API endpoint that does not interact with a human user during the execution. The application authenticates with its own identity (Client ID and Client Secret).
Pros:
- No user interaction required.
- Tokens can be cached for the full duration (typically 1 hour).
- Simplest implementation for batch jobs.
Cons:
- Limited to the scopes granted to the app, not the user.
- Cannot access data restricted to specific user permissions (e.g., if the app needs to see data a specific manager can see but the app’s global scope does not allow).
The Authorization Code Grant (Delegated Access)
Use this grant when your application needs to act on behalf of a specific user, or when you need to leverage the user’s specific permissions. Even for server-side reporting, if you need to replicate a specific user’s view or access data tied to their role, this is the required flow.
Pros:
- Accesses data based on the user’s permissions.
- Supports refresh tokens for long-lived sessions without re-authentication.
Cons:
- Requires an initial interactive login (unless using PKCE with a headless browser or storing a pre-authorized code).
- More complex token management (access + refresh tokens).
Implementation
Step 1: Client Credentials Grant Implementation
This section shows how to obtain an access token using the Client Credentials grant for Genesys Cloud. This is the standard approach for automated nightly reports.
Required Scope: read:analytics (or specific analytics scopes)
import os
import requests
from typing import Optional, Dict, Any
class GenesysClientCredentialsAuth:
def __init__(self, client_id: str, client_secret: str, environment: str = "mypurecloud.com"):
self.client_id = client_id
self.client_secret = client_secret
self.base_url = f"https://api.{environment}"
self.token_url = f"{self.base_url}/oauth/token"
self.access_token: Optional[str] = None
self.expires_in: int = 0
def _get_token(self) -> Dict[str, Any]:
"""
Requests an OAuth token using Client Credentials grant.
"""
payload = {
"grant_type": "client_credentials",
"client_id": self.client_id,
"client_secret": self.client_secret,
"scope": "read:analytics"
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(self.token_url, data=payload, headers=headers)
response.raise_for_status()
return response.json()
def get_access_token(self) -> str:
"""
Returns a valid access token. Refreshes if expired.
"""
if self.access_token and self.expires_in > 0:
return self.access_token
token_data = self._get_token()
self.access_token = token_data.get("access_token")
self.expires_in = token_data.get("expires_in", 3600)
return self.access_token
def fetch_analytics_summary(self, date_from: str, date_to: str) -> Dict[str, Any]:
"""
Fetches conversation summary analytics.
Endpoint: GET /api/v2/analytics/conversations/summary/query
"""
token = self.get_access_token()
url = f"{self.base_url}/api/v2/analytics/conversations/summary/query"
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
body = {
"dateFrom": date_from,
"dateTo": date_to,
"groupBy": [],
"metrics": [
"conversationCount",
"handleTime"
]
}
response = requests.post(url, json=body, headers=headers)
if response.status_code == 429:
print("Rate limited. Implement exponential backoff.")
return {}
response.raise_for_status()
return response.json()
Expected Response:
The _get_token method returns a JSON object containing access_token, token_type (“Bearer”), and expires_in (seconds). The analytics call returns a detailed JSON structure with metric values.
Error Handling:
- 401 Unauthorized: Check Client ID/Secret and scope permissions.
- 403 Forbidden: The app lacks the
read:analyticsscope or the organization has restricted API access. - 429 Too Many Requests: Genesys Cloud enforces strict rate limits. The code above prints a warning, but production code should implement retry logic with exponential backoff.
Step 2: Authorization Code Grant Implementation
This section demonstrates the Authorization Code flow. This is more complex because it involves redirecting the user to Genesys Cloud for login, capturing the authorization code, and exchanging it for tokens.
Required Scope: read:analytics
import os
import requests
from urllib.parse import urlencode
from typing import Optional, Dict, Any
class GenesysAuthorizationCodeAuth:
def __init__(self, client_id: str, client_secret: str, environment: str = "mypurecloud.com"):
self.client_id = client_id
self.client_secret = client_secret
self.base_url = f"https://api.{environment}"
self.auth_url = f"https://login.{environment}/as/authorization.oauth2"
self.token_url = f"{self.base_url}/oauth/token"
self.redirect_uri = "http://localhost:8080/callback"
self.access_token: Optional[str] = None
self.refresh_token: Optional[str] = None
self.expires_in: int = 0
def get_authorization_url(self, state: str = "random_state_string") -> str:
"""
Generates the URL to redirect the user to for login.
"""
params = {
"response_type": "code",
"client_id": self.client_id,
"redirect_uri": self.redirect_uri,
"scope": "read:analytics",
"state": state
}
return f"{self.auth_url}?{urlencode(params)}"
def exchange_code_for_token(self, authorization_code: str) -> Dict[str, Any]:
"""
Exchanges the authorization code for access and refresh tokens.
"""
payload = {
"grant_type": "authorization_code",
"code": authorization_code,
"client_id": self.client_id,
"client_secret": self.client_secret,
"redirect_uri": self.redirect_uri
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(self.token_url, data=payload, headers=headers)
response.raise_for_status()
token_data = response.json()
self.access_token = token_data.get("access_token")
self.refresh_token = token_data.get("refresh_token")
self.expires_in = token_data.get("expires_in", 3600)
return token_data
def refresh_access_token(self) -> Dict[str, Any]:
"""
Uses the refresh token to get a new access token.
"""
if not self.refresh_token:
raise ValueError("No refresh token available.")
payload = {
"grant_type": "refresh_token",
"refresh_token": self.refresh_token,
"client_id": self.client_id,
"client_secret": self.client_secret
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(self.token_url, data=payload, headers=headers)
response.raise_for_status()
token_data = response.json()
self.access_token = token_data.get("access_token")
self.refresh_token = token_data.get("refresh_token")
self.expires_in = token_data.get("expires_in", 3600)
return token_data
def get_valid_token(self) -> str:
"""
Returns a valid access token, refreshing if necessary.
"""
if self.access_token and self.expires_in > 60: # Buffer for expiry
return self.access_token
try:
self.refresh_access_token()
except Exception:
# If refresh fails, the user must re-authorize
raise Exception("Token refresh failed. Re-authorization required.")
return self.access_token
Non-Obvious Parameters:
state: A random string used to prevent CSRF attacks. You must verify this state in your callback handler.redirect_uri: Must exactly match the URI registered in the Genesys Cloud Developer Console.
Edge Cases:
- Refresh Token Revocation: If the user revokes access in their profile, the refresh token becomes invalid. The
refresh_access_tokenmethod will return a 400 error. - Token Expiry: The
expires_invalue is in seconds. Always subtract a buffer (e.g., 60 seconds) to account for network latency and clock skew.
Step 3: Processing Results and Handling Pagination
Both grant types result in an access_token that is used identically in subsequent API calls. The following example shows how to handle pagination for detailed conversation analytics.
def fetch_detailed_analytics(auth_instance: Any, date_from: str, date_to: str) -> list:
"""
Fetches detailed conversation analytics with pagination.
Works with either ClientCredentialsAuth or AuthorizationCodeAuth.
"""
base_url = auth_instance.base_url
url = f"{base_url}/api/v2/analytics/conversations/details/query"
headers = {
"Content-Type": "application/json"
}
body = {
"dateFrom": date_from,
"dateTo": date_to,
"groupBy": [],
"metrics": ["conversationCount"],
"pageSize": 25
}
all_results = []
page_token = None
while True:
if page_token:
body["pageToken"] = page_token
token = auth_instance.get_access_token() if hasattr(auth_instance, 'get_access_token') else auth_instance.get_valid_token()
headers["Authorization"] = f"Bearer {token}"
response = requests.post(url, json=body, headers=headers)
response.raise_for_status()
data = response.json()
all_results.extend(data.get("results", []))
if "nextPageToken" not in data or data["nextPageToken"] == "":
break
page_token = data["nextPageToken"]
# Optional: Add a small delay to respect rate limits
import time
time.sleep(0.5)
return all_results
Complete Working Example
This script demonstrates the Client Credentials flow, which is the most common for server-side reporting. It fetches a simple analytics summary.
import os
from dotenv import load_dotenv
# Load environment variables
load_dotenv()
CLIENT_ID = os.getenv("GENESYS_CLIENT_ID")
CLIENT_SECRET = os.getenv("GENESYS_CLIENT_SECRET")
if not CLIENT_ID or not CLIENT_SECRET:
raise EnvironmentError("GENESYS_CLIENT_ID and GENESYS_CLIENT_SECRET must be set in .env file")
def main():
# Initialize the Client Credentials Auth class
auth = GenesysClientCredentialsAuth(
client_id=CLIENT_ID,
client_secret=CLIENT_SECRET,
environment="mypurecloud.com"
)
try:
# Define the date range
date_from = "2023-10-01T00:00:00.000Z"
date_to = "2023-10-02T00:00:00.000Z"
# Fetch analytics
print("Fetching analytics summary...")
analytics_data = auth.fetch_analytics_summary(date_from, date_to)
# Process results
if "results" in analytics_data:
for result in analytics_data["results"]:
print(f"Metric: {result.get('metric')}")
print(f"Value: {result.get('value')}")
else:
print("No results found or error in response structure.")
except requests.exceptions.HTTPError as e:
print(f"HTTP Error: {e.response.status_code} - {e.response.text}")
except Exception as e:
print(f"Unexpected error: {str(e)}")
if __name__ == "__main__":
main()
Common Errors & Debugging
Error: 401 Unauthorized
- Cause: Invalid Client ID/Secret, expired token, or missing scope.
- Fix: Verify credentials in the Genesys Cloud Developer Console. Ensure the
read:analyticsscope is assigned to the application. Check that the token is being included in theAuthorizationheader asBearer <token>.
Error: 403 Forbidden
- Cause: The application has the correct credentials but lacks permission to access the specific resource.
- Fix: Check the scope permissions. For analytics, ensure
read:analyticsis present. If using Authorization Code, ensure the logged-in user has the necessary UI permissions to view analytics.
Error: 429 Too Many Requests
- Cause: Exceeding Genesys Cloud’s rate limits. Analytics endpoints often have lower limits than standard CRUD operations.
- Fix: Implement exponential backoff. Start with a 1-second delay, doubling it with each retry up to a maximum of 30 seconds. Always check the
Retry-Afterheader if present.
Error: 400 Bad Request (Invalid Grant)
- Cause: Using the wrong grant type for the token endpoint, or providing an invalid authorization code.
- Fix: Ensure
grant_typematches the flow (client_credentialsvsauthorization_code). For Authorization Code, ensure the code has not been used already (codes are single-use) and has not expired (typically 5-10 minutes).