Choosing the Right OAuth Grant for Server-Side Genesys Cloud Reporting
What You Will Build
- This tutorial demonstrates how to implement and compare the Client Credentials and Authorization Code grant flows for a Python-based reporting application.
- You will build two distinct authentication modules using the
purecloudplatformclientv2Python SDK. - You will execute real API calls to
/api/v2/analytics/conversations/details/queryto retrieve call metrics, showing which grant type fits which architectural constraint.
Prerequisites
- Platform: Genesys Cloud CX.
- Language: Python 3.9+.
- SDK:
purecloudplatformclientv2(latest stable release). - Dependencies:
pip install purecloudplatformclientv2 requests. - Account Access:
- A Genesys Cloud organization with an active environment.
- For Client Credentials: An API Client with
client_credentialsgrant type enabled, and the necessary OAuth scopes (e.g.,analytics:conversations:view). - For Authorization Code: An API Client with
authorization_codegrant type enabled, a redirect URI configured (e.g.,http://localhost:8000/callback), and a user account with permissions to view analytics.
- Understanding: Basic familiarity with OAuth 2.0 concepts and Python async/await patterns.
Authentication Setup
The core difference between these two flows lies in the presence of a human user. Client Credentials is a machine-to-machine flow. It requires no user interaction and represents the application itself. Authorization Code is a user-to-machine flow. It requires a user to log in via a browser, granting the application permission to act on their behalf.
For a server-side reporting app, the choice depends on whether you are aggregating global organizational data (Client Credentials) or pulling data scoped to specific users or teams based on their individual permissions (Authorization Code).
Step 1: Implementing Client Credentials Flow
This flow is ideal for backend jobs that run on a schedule (e.g., nightly data warehouse loads). The application authenticates using its own identity.
Required Scopes: analytics:conversations:view (or broader scopes if needed).
"""
module: client_creds_auth.py
Description: Demonstrates the Client Credentials OAuth flow for Genesys Cloud.
"""
import os
from purecloudplatformclientv2.rest import ApiException
from purecloudplatformclientv2 import (
PlatformClient,
Configuration,
AnalyticsApi,
PostConversationDetailsQueryRequest
)
def get_client_creds_platform_client(client_id: str, client_secret: str) -> PlatformClient:
"""
Initializes the Genesys Cloud SDK using Client Credentials grant.
Args:
client_id: The API Client ID from Genesys Cloud Admin.
client_secret: The API Client Secret from Genesys Cloud Admin.
Returns:
A configured PlatformClient instance.
"""
# Configure the SDK to use the Client Credentials grant type
config = Configuration(
host="https://api.mypurecloud.com", # Change to your environment host
client_id=client_id,
client_secret=client_secret,
oauth_client_id=client_id,
oauth_client_secret=client_secret,
grant_type="client_credentials"
)
# Initialize the platform client
platform_client = PlatformClient(config)
return platform_client
def fetch_global_call_metrics(platform_client: PlatformClient) -> dict:
"""
Queries analytics for all conversations in the organization.
Args:
platform_client: The authenticated PlatformClient.
Returns:
The response body from the analytics API.
"""
analytics_api = AnalyticsApi(platform_client)
# Define the query body
# Note: Client Credentials often has broader visibility than a single user
body = PostConversationDetailsQueryRequest(
body={
"view": "conversation_view_v2",
"date_from": "2023-10-01T00:00:00Z",
"date_to": "2023-10-31T23:59:59Z",
"size": 10,
"order_by": "timestamp",
"order_dir": "desc"
}
)
try:
# Execute the query
response = analytics_api.post_analytics_conversations_details_query(body=body)
return response.to_dict()
except ApiException as e:
print(f"Exception when calling AnalyticsApi->post_analytics_conversations_details_query: {e}\n")
raise
if __name__ == "__main__":
CLIENT_ID = os.getenv("GENESYS_CLIENT_ID")
CLIENT_SECRET = os.getenv("GENESYS_CLIENT_SECRET")
if not CLIENT_ID or not CLIENT_SECRET:
raise ValueError("GENESYS_CLIENT_ID and GENESYS_CLIENT_SECRET environment variables are required.")
# Initialize the client
gc_client = get_client_creds_platform_client(CLIENT_ID, CLIENT_SECRET)
# Fetch data
try:
data = fetch_global_call_metrics(gc_client)
print(f"Retrieved {data.get('count', 0)} conversations.")
if data.get('entities'):
print(f"Sample entity ID: {data['entities'][0]['id']}")
except Exception as e:
print(f"Failed to fetch metrics: {e}")
Why this works: The SDK handles the POST /oauth/token request internally. It exchanges the client_id and client_secret for an access token. This token is valid for 1 hour. The SDK automatically refreshes the token if it expires during a long-running process, provided the client_secret is stored in the configuration.
Step 2: Implementing Authorization Code Flow
This flow is necessary when the reporting app must respect user-level permissions. For example, if you are building a dashboard where a manager can only see their team’s data, you must authenticate as that manager.
Required Scopes: analytics:conversations:view, offline_access (for refresh tokens).
"""
module: auth_code_flow.py
Description: Demonstrates the Authorization Code OAuth flow for Genesys Cloud.
This example uses a simple HTTP server for the redirect URI callback.
"""
import os
import http.server
import urllib.parse
import threading
from purecloudplatformclientv2.rest import ApiException
from purecloudplatformclientv2 import (
PlatformClient,
Configuration,
AnalyticsApi,
PostConversationDetailsQueryRequest
)
class AuthCallbackHandler(http.server.BaseHTTPRequestHandler):
"""
A simple HTTP handler to capture the authorization code from Genesys Cloud.
"""
def do_GET(self):
# Parse the query parameters from the redirect URI
query_params = urllib.parse.parse_qs(urllib.parse.urlparse(self.path).query)
if 'code' in query_params:
auth_code = query_params['code'][0]
print(f"Authorization Code Received: {auth_code}")
# Store the code for the main thread to use
AuthCallbackHandler.received_code = auth_code
# Send a 200 OK response to the browser
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(b"<html><body>Authentication successful. You can close this window.</body></html>")
else:
# Handle error case
error = query_params.get('error', ['Unknown error'])[0]
print(f"Authorization Error: {error}")
self.send_response(400)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(f"<html><body>Authentication failed: {error}</body></html>".encode())
def log_message(self, format, *args):
# Suppress default logging to keep output clean
pass
AuthCallbackHandler.received_code = None
def start_auth_server(port: int = 8000):
"""
Starts a local HTTP server to receive the OAuth callback.
"""
server = http.server.HTTPServer(('localhost', port), AuthCallbackHandler)
print(f"Listening on http://localhost:{port}")
server.serve_forever()
def get_auth_code_platform_client(client_id: str, client_secret: str, auth_code: str) -> PlatformClient:
"""
Initializes the Genesys Cloud SDK using an Authorization Code.
Args:
client_id: The API Client ID.
client_secret: The API Client Secret.
auth_code: The code received from the redirect URI.
Returns:
A configured PlatformClient instance.
"""
config = Configuration(
host="https://api.mypurecloud.com",
client_id=client_id,
client_secret=client_secret,
oauth_client_id=client_id,
oauth_client_secret=client_secret,
grant_type="authorization_code",
code=auth_code
)
platform_client = PlatformClient(config)
return platform_client
def fetch_user_scoped_metrics(platform_client: PlatformClient) -> dict:
"""
Queries analytics scoped to the authenticated user's permissions.
"""
analytics_api = AnalyticsApi(platform_client)
body = PostConversationDetailsQueryRequest(
body={
"view": "conversation_view_v2",
"date_from": "2023-10-01T00:00:00Z",
"date_to": "2023-10-31T23:59:59Z",
"size": 10
}
)
try:
response = analytics_api.post_analytics_conversations_details_query(body=body)
return response.to_dict()
except ApiException as e:
print(f"Exception when calling AnalyticsApi: {e}\n")
raise
if __name__ == "__main__":
CLIENT_ID = os.getenv("GENESYS_CLIENT_ID")
CLIENT_SECRET = os.getenv("GENESYS_CLIENT_SECRET")
REDIRECT_URI = "http://localhost:8000/callback"
if not CLIENT_ID or not CLIENT_SECRET:
raise ValueError("GENESYS_CLIENT_ID and GENESYS_CLIENT_SECRET environment variables are required.")
# 1. Start the callback server in a background thread
server_thread = threading.Thread(target=start_auth_server, args=(8000,), daemon=True)
server_thread.start()
# 2. Construct the authorization URL
# The user must visit this URL in their browser
auth_url = (
f"https://login.mypurecloud.com/oauth/authorize?"
f"response_type=code"
f"&client_id={CLIENT_ID}"
f"&redirect_uri={urllib.parse.quote(REDIRECT_URI)}"
f"&scope=analytics:conversations:view+offline_access"
f"&state=random_state_string_for_csrf"
)
print(f"Please visit this URL to authorize: {auth_url}")
print("Waiting for authorization code...")
# 3. Wait for the code to be received
import time
timeout = 60
start_time = time.time()
while AuthCallbackHandler.received_code is None:
time.sleep(1)
if time.time() - start_time > timeout:
raise TimeoutError("Authorization timed out.")
# 4. Initialize the client with the received code
gc_client = get_auth_code_platform_client(CLIENT_ID, CLIENT_SECRET, AuthCallbackHandler.received_code)
# 5. Fetch data
try:
data = fetch_user_scoped_metrics(gc_client)
print(f"Retrieved {data.get('count', 0)} conversations for the authenticated user.")
except Exception as e:
print(f"Failed to fetch metrics: {e}")
Why this works: The user visits the auth_url. Genesys Cloud prompts for login and consent. Upon approval, Genesys redirects to http://localhost:8000/callback?code=.... The Python script captures this code, exchanges it for an access token and a refresh token (due to offline_access), and then uses the SDK to make API calls.
Step 3: Handling Token Refresh and Storage
For production applications, you must persist tokens. The Client Credentials flow does not provide a refresh token; it simply re-authenticates. The Authorization Code flow provides a refresh token.
"""
module: token_management.py
Description: Shows how to handle token persistence for Authorization Code flow.
"""
import json
import os
from purecloudplatformclientv2 import Configuration
TOKEN_FILE = "genesys_tokens.json"
def load_tokens() -> dict:
if os.path.exists(TOKEN_FILE):
with open(TOKEN_FILE, 'r') as f:
return json.load(f)
return {}
def save_tokens(tokens: dict):
with open(TOKEN_FILE, 'w') as f:
json.dump(tokens, f)
def get_platform_client_with_refresh(client_id: str, client_secret: str, refresh_token: str = None) -> PlatformClient:
"""
If a refresh token exists, use it. Otherwise, the user must re-authorize.
"""
config = Configuration(
host="https://api.mypurecloud.com",
client_id=client_id,
client_secret=client_secret,
oauth_client_id=client_id,
oauth_client_secret=client_secret,
grant_type="authorization_code"
)
if refresh_token:
config.refresh_token = refresh_token
# The SDK will automatically use the refresh token to get a new access token
# when the current one expires.
# Note: In a real app, you would need to capture the new refresh token
# if the old one was used. The SDK's Configuration object updates
# internally, but you may want to hook into the token refresh event
# to persist the new refresh token.
return PlatformClient(config)
Complete Working Example
Below is a unified script that allows you to switch between grant types via a command-line argument. This demonstrates the structural similarity once authentication is resolved.
"""
main.py
Unified reporting script supporting both Client Credentials and Authorization Code.
Usage:
python main.py --grant client_credentials
python main.py --grant authorization_code
"""
import argparse
import os
import sys
import time
import threading
import http.server
import urllib.parse
from purecloudplatformclientv2.rest import ApiException
from purecloudplatformclientv2 import (
PlatformClient,
Configuration,
AnalyticsApi,
PostConversationDetailsQueryRequest
)
def get_client_creds_client(client_id: str, client_secret: str) -> PlatformClient:
config = Configuration(
host="https://api.mypurecloud.com",
client_id=client_id,
client_secret=client_secret,
oauth_client_id=client_id,
oauth_client_secret=client_secret,
grant_type="client_credentials"
)
return PlatformClient(config)
class AuthCallbackHandler(http.server.BaseHTTPRequestHandler):
received_code = None
def do_GET(self):
query_params = urllib.parse.parse_qs(urllib.parse.urlparse(self.path).query)
if 'code' in query_params:
AuthCallbackHandler.received_code = query_params['code'][0]
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(b"<html><body>Auth successful. Close window.</body></html>")
else:
self.send_response(400)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(b"<html><body>Auth failed.</body></html>")
def log_message(self, format, *args):
pass
def get_auth_code_client(client_id: str, client_secret: str) -> PlatformClient:
port = 8000
redirect_uri = f"http://localhost:{port}/callback"
server = http.server.HTTPServer(('localhost', port), AuthCallbackHandler)
server_thread = threading.Thread(target=server.serve_forever, daemon=True)
server_thread.start()
auth_url = (
f"https://login.mypurecloud.com/oauth/authorize?"
f"response_type=code"
f"&client_id={client_id}"
f"&redirect_uri={urllib.parse.quote(redirect_uri)}"
f"&scope=analytics:conversations:view+offline_access"
f"&state=csrf_token"
)
print(f"Visit this URL: {auth_url}")
while AuthCallbackHandler.received_code is None:
time.sleep(1)
config = Configuration(
host="https://api.mypurecloud.com",
client_id=client_id,
client_secret=client_secret,
oauth_client_id=client_id,
oauth_client_secret=client_secret,
grant_type="authorization_code",
code=AuthCallbackHandler.received_code
)
return PlatformClient(config)
def run_report(platform_client: PlatformClient):
analytics_api = AnalyticsApi(platform_client)
body = PostConversationDetailsQueryRequest(
body={
"view": "conversation_view_v2",
"date_from": "2023-10-01T00:00:00Z",
"date_to": "2023-10-31T23:59:59Z",
"size": 5
}
)
try:
response = analytics_api.post_analytics_conversations_details_query(body=body)
print(f"\nReport Generated:")
print(f"Total Count: {response.count}")
for entity in response.entities:
print(f" - ID: {entity.id}, Type: {entity.type}")
except ApiException as e:
print(f"API Error: {e.status} - {e.reason}")
if e.body:
print(f"Details: {e.body}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Genesys Cloud Reporting Tool")
parser.add_argument("--grant", required=True, choices=["client_credentials", "authorization_code"])
args = parser.parse_args()
client_id = os.getenv("GENESYS_CLIENT_ID")
client_secret = os.getenv("GENESYS_CLIENT_SECRET")
if not client_id or not client_secret:
print("Error: Set GENESYS_CLIENT_ID and GENESYS_CLIENT_SECRET environment variables.")
sys.exit(1)
if args.grant == "client_credentials":
print("Initializing Client Credentials flow...")
client = get_client_creds_client(client_id, client_secret)
else:
print("Initializing Authorization Code flow...")
client = get_auth_code_client(client_id, client_secret)
run_report(client)
Common Errors & Debugging
Error: 401 Unauthorized
Cause: The access token is invalid, expired, or missing.
Fix:
- For Client Credentials: Ensure
client_idandclient_secretare correct. Check that the API Client in Genesys Cloud Admin has theclient_credentialsgrant type enabled. - For Authorization Code: Ensure the
codewas not used previously. OAuth codes are single-use. Ensure the redirect URI matches exactly what is configured in the Admin console.
Error: 403 Forbidden
Cause: The OAuth token does not have the required scope, or the user/client lacks permission to view the data.
Fix:
- Verify the
scopeparameter in your OAuth request includesanalytics:conversations:view. - For Client Credentials: Check the API Client’s permissions in Genesys Cloud Admin. Assign the necessary roles or scopes.
- For Authorization Code: Ensure the logged-in user has permission to view analytics for the specified date range and entities.
Error: 429 Too Many Requests
Cause: You have exceeded the rate limit for the API endpoint.
Fix:
- Implement exponential backoff.
- The Genesys Cloud SDK does not automatically retry 429s in all versions. You should wrap API calls in a retry loop.
import time
def api_call_with_retry(func, *args, max_retries=5, **kwargs):
for attempt in range(max_retries):
try:
return func(*args, **kwargs)
except ApiException as e:
if e.status == 429:
wait_time = 2 ** attempt
print(f"Rate limited. Retrying in {wait_time} seconds...")
time.sleep(wait_time)
else:
raise
raise Exception("Max retries exceeded")
Error: Invalid Grant
Cause: Mismatch between the grant type specified in the code and the API Client configuration in Genesys Cloud.
Fix:
- If using
client_credentials, ensure the API Client in Admin has “Client Credentials” checked. - If using
authorization_code, ensure “Authorization Code” is checked and a Redirect URI is defined.