Choosing the Right OAuth Grant for Server-Side Reporting in Genesys Cloud CX
What You Will Build
- Two distinct authentication implementations for a server-side Python reporting application: one using Client Credentials for system-level analytics and one using Authorization Code with PKCE for user-specific call recording retrieval.
- This tutorial utilizes the Genesys Cloud CX REST API and the
purecloudplatformclientv2Python SDK. - The code is written in Python 3.9+ using
requestsfor raw HTTP interactions and the official SDK for object-oriented interactions.
Prerequisites
- Genesys Cloud Org: A valid Genesys Cloud organization with API access.
- API Client: Two API clients created in the Admin Console:
- Service Account Client: Type “Client Credentials”. Scopes:
analytics:export:read,user:read. - Web App Client: Type “Authorization Code”. Scopes:
call:read,conversation:read,user:read. Redirect URI must be configured (e.g.,http://localhost:8000/callback).
- Service Account Client: Type “Client Credentials”. Scopes:
- Python Environment: Python 3.9 or higher.
- Dependencies:
pip install purecloudplatformclientv2 requests python-dotenv - Environment Variables: A
.envfile containing:# Service Account GENESYS_CLIENT_ID_SA=your_service_account_client_id GENESYS_CLIENT_SECRET_SA=your_service_account_client_secret # Web App GENESYS_CLIENT_ID_WEB=your_web_app_client_id GENESYS_CLIENT_SECRET_WEB=your_web_app_client_secret GENESYS_REDIRECT_URI=http://localhost:8000/callback
Authentication Setup
The core decision in server-side reporting is determining the identity context. If the report aggregates data across the entire organization (e.g., “Total Handle Time for All Agents Last Week”), the system acts as itself. This requires the Client Credentials grant. If the report requires access to data restricted by user permissions (e.g., “My Call Recordings” or “Supervisor View of Team A”), the system acts on behalf of a human user. This requires the Authorization Code grant.
The Client Credentials Flow (System Identity)
This flow is non-interactive. The application exchanges its client_id and client_secret for an access token. The resulting token carries the identity of the API client (Service Account), not a human user.
Required Scope: analytics:export:read
import os
import requests
from dotenv import load_dotenv
load_dotenv()
def get_service_account_token() -> str:
"""
Exchanges client credentials for an access token.
Returns a valid JWT token string.
"""
token_url = "https://api.mypurecloud.com/oauth/token"
payload = {
"grant_type": "client_credentials",
"client_id": os.getenv("GENESYS_CLIENT_ID_SA"),
"client_secret": os.getenv("GENESYS_CLIENT_SECRET_SA"),
"scope": "analytics:export:read user:read"
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(token_url, data=payload, headers=headers)
if response.status_code == 200:
return response.json()["access_token"]
else:
raise Exception(f"Authentication failed: {response.status_code} - {response.text}")
# Usage
# token = get_service_account_token()
# print(token)
The Authorization Code Flow (User Identity with PKCE)
This flow is interactive. It requires the end-user to log in via a browser. For server-side apps that eventually run on a headless server, this usually involves an initial interactive setup where the user grants consent, and the app stores the refresh_token for future use. We use PKCE (Proof Key for Code Exchange) to secure the flow, even though it is a confidential client, as it is a best practice for modern OAuth implementations.
Required Scope: call:read
import os
import secrets
import hashlib
import base64
import requests
from urllib.parse import urlencode, quote
from dotenv import load_dotenv
load_dotenv()
class UserAuthFlow:
def __init__(self):
self.client_id = os.getenv("GENESYS_CLIENT_ID_WEB")
self.redirect_uri = os.getenv("GENESYS_REDIRECT_URI")
self.token_url = "https://api.mypurecloud.com/oauth/token"
self.authorize_url = "https://api.mypurecloud.com/oauth/authorize"
def generate_pkce_params(self) -> tuple:
"""
Generates a code_verifier and code_challenge for PKCE.
Returns (code_verifier, code_challenge)
"""
code_verifier = secrets.token_urlsafe(64)
# SHA256 hash of the verifier, base64url encoded
code_challenge = base64.urlsafe_b64encode(
hashlib.sha256(code_verifier.encode('utf-8')).digest()
).decode('utf-8').rstrip('=')
return code_verifier, code_challenge
def get_authorization_url(self) -> str:
"""
Constructs the URL the user must visit to grant consent.
"""
verifier, challenge = self.generate_pkce_params()
# Store verifier in a secure session or memory for the callback
# In a real app, store this in Redis or a secure database keyed by state
self._code_verifier = verifier
self._code_challenge = challenge
params = {
"client_id": self.client_id,
"redirect_uri": self.redirect_uri,
"response_type": "code",
"scope": "call:read conversation:read",
"code_challenge": challenge,
"code_challenge_method": "S256",
"state": secrets.token_urlsafe(16) # Anti-CSRF token
}
return f"{self.authorize_url}?{urlencode(params)}"
def exchange_code_for_token(self, authorization_code: str) -> dict:
"""
Exchanges the authorization code received in the callback for tokens.
"""
payload = {
"grant_type": "authorization_code",
"client_id": self.client_id,
"client_secret": os.getenv("GENESYS_CLIENT_SECRET_WEB"),
"code": authorization_code,
"redirect_uri": self.redirect_uri,
"code_verifier": self._code_verifier
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(self.token_url, data=payload, headers=headers)
if response.status_code == 200:
return response.json()
else:
raise Exception(f"Token exchange failed: {response.status_code} - {response.text}")
# Usage Example for Initialization
# auth = UserAuthFlow()
# login_url = auth.get_authorization_url()
# print(f"Visit this URL to login: {login_url}")
Implementation
Step 1: Aggregating Organization-Wide Analytics (Client Credentials)
We will build a script that retrieves the total number of interactions and average handle time for the entire organization over the last 7 days. This data is not user-specific; it belongs to the organization. Therefore, we use the Service Account token.
Endpoint: POST /api/v2/analytics/conversations/details/query
Scope: analytics:export:read
import json
import requests
from datetime import datetime, timedelta
import os
from dotenv import load_dotenv
load_dotenv()
def get_org_wide_analytics():
# 1. Authenticate as Service Account
token = get_service_account_token()
# 2. Define the Query Payload
# Genesys Analytics API requires a specific structure for aggregation
query_payload = {
"groupBy": [],
"interval": "day",
"intervalOffset": 0,
"dateFrom": (datetime.utcnow() - timedelta(days=7)).strftime("%Y-%m-%dT%H:%M:%S.000Z"),
"dateTo": datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.000Z"),
"select": [
"interactions",
"duration"
],
"filter": {
"type": "AND",
"clauses": []
},
"paging": {
"pageSize": 1000
}
}
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
url = "https://api.mypurecloud.com/api/v2/analytics/conversations/details/query"
try:
response = requests.post(url, headers=headers, json=query_payload)
if response.status_code == 200:
data = response.json()
total_interactions = data.get("total", 0)
total_duration_seconds = data.get("totalDuration", 0)
print(f"Total Interactions (Last 7 Days): {total_interactions}")
print(f"Total Duration (Seconds): {total_duration_seconds}")
return data
elif response.status_code == 429:
print("Rate Limited. Implement exponential backoff.")
# In production, implement retry logic here
else:
print(f"Error: {response.status_code}")
print(response.text)
except requests.exceptions.RequestException as e:
print(f"Network error: {e}")
# Run the function
# get_org_wide_analytics()
Why this works: The Service Account has global read access to analytics. It does not need to impersonate any user. The token is valid for 1 hour, but since this is a short-lived script, we do not need complex refresh logic.
Step 2: Retrieving User-Specific Call Recordings (Authorization Code)
Now we build a script that retrieves call recordings for a specific user. This data is often permissioned. While supervisors can see many recordings, a regular agent can only see their own. To respect these permissions and access user-specific data, we must use the Authorization Code flow.
Endpoint: GET /api/v2/recordings/details/{recordingId}
Prerequisite: We need a list of recording IDs. We will first query for recent recordings.
Endpoint: POST /api/v2/recordings/details/query
Scope: call:read, conversation:read
import requests
import os
from dotenv import load_dotenv
load_dotenv()
def get_user_recordings(user_id: str):
"""
Retrieves recordings for a specific user using a user-scoped token.
Assumes you have already obtained a refresh_token from the Authorization Code flow.
"""
# 1. Refresh the Token (Simulated)
# In a real app, you would store the refresh_token securely.
# Here we assume the previous step's exchange_code_for_token returned a refresh_token.
refresh_token = os.getenv("STORED_REFRESH_TOKEN")
if not refresh_token:
raise Exception("No refresh token available. Please run the auth flow first.")
token_url = "https://api.mypurecloud.com/oauth/token"
payload = {
"grant_type": "refresh_token",
"refresh_token": refresh_token,
"client_id": os.getenv("GENESYS_CLIENT_ID_WEB"),
"client_secret": os.getenv("GENESYS_CLIENT_SECRET_WEB")
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
token_response = requests.post(token_url, data=payload, headers=headers)
if token_response.status_code != 200:
raise Exception(f"Token refresh failed: {token_response.text}")
access_token = token_response.json()["access_token"]
# 2. Query for Recordings
query_url = "https://api.mypurecloud.com/api/v2/recordings/details/query"
# Filter for recordings involving the specific user
query_body = {
"dateFrom": "2023-01-01T00:00:00.000Z",
"dateTo": "2023-12-31T23:59:59.000Z",
"filter": {
"type": "AND",
"clauses": [
{
"type": "EQUALS",
"field": "participants.userId",
"value": user_id
}
]
},
"paging": {
"pageSize": 25
}
}
auth_headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json"
}
response = requests.post(query_url, headers=auth_headers, json=query_body)
if response.status_code == 200:
recordings = response.json().get("results", [])
print(f"Found {len(recordings)} recordings for user {user_id}")
# 3. Fetch Details for Each Recording
for rec in recordings:
rec_id = rec["id"]
detail_url = f"https://api.mypurecloud.com/api/v2/recordings/details/{rec_id}"
detail_response = requests.get(detail_url, headers=auth_headers)
if detail_response.status_code == 200:
detail = detail_response.json()
print(f"Recording ID: {rec_id}")
print(f"Duration: {detail.get('duration', 'N/A')}")
print(f"Status: {detail.get('status', 'N/A')}")
print("-" * 30)
else:
print(f"Query failed: {response.status_code}")
print(response.text)
# Usage
# user_id = "123e4567-e89b-12d3-a456-426614174000"
# get_user_recordings(user_id)
Why this works: The token derived from the Authorization Code flow carries the identity of the human user. If that user does not have permission to see a recording (e.g., it belongs to a different team and the user is not a supervisor), the API returns a 403 Forbidden. The Service Account token might bypass this if it has admin privileges, but it would violate the principle of least privilege and potentially expose PII to unauthorized system processes.
Step 3: Handling Pagination and Rate Limits
Both flows must handle pagination. The Genesys Cloud API returns a nextPage token in the response header or body. Additionally, server-side apps often hit rate limits (429 Too Many Requests).
import time
import requests
def fetch_all_pages(url: str, headers: dict, payload: dict = None) -> list:
"""
Generic paginator that handles 429 errors with exponential backoff.
"""
all_results = []
current_url = url
page_token = None
max_retries = 5
while True:
headers_retry = headers.copy()
if page_token:
headers_retry["X-Genesys-Page-Token"] = page_token
try:
if payload:
response = requests.post(current_url, headers=headers_retry, json=payload)
else:
response = requests.get(current_url, headers=headers_retry)
if response.status_code == 200:
data = response.json()
results = data.get("results", [])
all_results.extend(results)
# Check for next page
page_token = data.get("nextPage")
if not page_token:
break
print(f"Retrieved {len(results)} items. Fetching next page...")
elif response.status_code == 429:
# Rate Limited
retry_after = int(response.headers.get("Retry-After", 1))
print(f"Rate limited. Waiting {retry_after} seconds...")
time.sleep(retry_after)
max_retries -= 1
if max_retries == 0:
raise Exception("Max retries exceeded for rate limit.")
continue
else:
raise Exception(f"API Error: {response.status_code} - {response.text}")
except requests.exceptions.ConnectionError as e:
print(f"Connection error: {e}")
time.sleep(2)
continue
return all_results
# Usage Example
# headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
# all_recordings = fetch_all_pages("https://api.mypurecloud.com/api/v2/recordings/details/query", headers, query_body)
Complete Working Example
Below is a consolidated Python script that demonstrates both flows. It uses a class structure to manage the context.
import os
import requests
import secrets
import hashlib
import base64
from urllib.parse import urlencode
from datetime import datetime, timedelta
from dotenv import load_dotenv
load_dotenv()
class GenesysReporter:
def __init__(self):
self.sa_client_id = os.getenv("GENESYS_CLIENT_ID_SA")
self.sa_client_secret = os.getenv("GENESYS_CLIENT_SECRET_SA")
self.web_client_id = os.getenv("GENESYS_CLIENT_ID_WEB")
self.web_client_secret = os.getenv("GENESYS_CLIENT_SECRET_WEB")
self.redirect_uri = os.getenv("GENESYS_REDIRECT_URI")
self.api_base = "https://api.mypurecloud.com"
self.oauth_base = "https://api.mypurecloud.com/oauth"
# --- Client Credentials Flow ---
def get_sa_token(self) -> str:
url = f"{self.oauth_base}/token"
payload = {
"grant_type": "client_credentials",
"client_id": self.sa_client_id,
"client_secret": self.sa_client_secret,
"scope": "analytics:export:read"
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(url, data=payload, headers=headers)
if response.status_code != 200:
raise Exception(f"SA Auth Failed: {response.text}")
return response.json()["access_token"]
def get_org_analytics(self) -> dict:
token = self.get_sa_token()
url = f"{self.api_base}/api/v2/analytics/conversations/details/query"
payload = {
"groupBy": [],
"interval": "day",
"dateFrom": (datetime.utcnow() - timedelta(days=1)).strftime("%Y-%m-%dT%H:%M:%S.000Z"),
"dateTo": datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.000Z"),
"select": ["interactions"],
"filter": {"type": "AND", "clauses": []},
"paging": {"pageSize": 1000}
}
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
response = requests.post(url, headers=headers, json=payload)
if response.status_code == 200:
return response.json()
raise Exception(f"Analytics Query Failed: {response.text}")
# --- Authorization Code Flow ---
def get_auth_url(self) -> tuple:
verifier = secrets.token_urlsafe(64)
challenge = base64.urlsafe_b64encode(
hashlib.sha256(verifier.encode('utf-8')).digest()
).decode('utf-8').rstrip('=')
params = {
"client_id": self.web_client_id,
"redirect_uri": self.redirect_uri,
"response_type": "code",
"scope": "call:read conversation:read",
"code_challenge": challenge,
"code_challenge_method": "S256",
"state": secrets.token_urlsafe(16)
}
url = f"{self.oauth_base}/authorize?{urlencode(params)}"
return url, verifier
def get_user_token(self, code: str, verifier: str) -> dict:
url = f"{self.oauth_base}/token"
payload = {
"grant_type": "authorization_code",
"client_id": self.web_client_id,
"client_secret": self.web_client_secret,
"code": code,
"redirect_uri": self.redirect_uri,
"code_verifier": verifier
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
response = requests.post(url, data=payload, headers=headers)
if response.status_code != 200:
raise Exception(f"User Auth Failed: {response.text}")
return response.json()
def get_user_recordings(self, access_token: str, user_id: str) -> list:
url = f"{self.api_base}/api/v2/recordings/details/query"
payload = {
"dateFrom": "2023-01-01T00:00:00.000Z",
"dateTo": "2023-12-31T23:59:59.000Z",
"filter": {
"type": "AND",
"clauses": [{"type": "EQUALS", "field": "participants.userId", "value": user_id}]
},
"paging": {"pageSize": 25}
}
headers = {"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"}
response = requests.post(url, headers=headers, json=payload)
if response.status_code == 200:
return response.json().get("results", [])
raise Exception(f"Recording Query Failed: {response.text}")
if __name__ == "__main__":
reporter = GenesysReporter()
# 1. Run Service Account Report
print("--- Organization Analytics ---")
try:
analytics = reporter.get_org_analytics()
print(f"Total Interactions: {analytics.get('total', 0)}")
except Exception as e:
print(e)
# 2. Run User Auth Setup
print("\n--- User Auth Setup ---")
auth_url, verifier = reporter.get_auth_url()
print(f"1. Visit this URL to login: {auth_url}")
print(f"2. Copy the 'code' parameter from the redirect URL after login.")
# Simulate user input
user_code = input("Enter Authorization Code: ")
if user_code:
tokens = reporter.get_user_token(user_code, verifier)
access_token = tokens["access_token"]
user_id = tokens.get("user_id", input("Enter User ID: "))
print("\n--- User Recordings ---")
try:
recordings = reporter.get_user_recordings(access_token, user_id)
print(f"Found {len(recordings)} recordings.")
except Exception as e:
print(e)
Common Errors & Debugging
Error: 401 Unauthorized
Cause: The access token is expired, invalid, or the client credentials are incorrect.
Fix: Ensure your client_id and client_secret match the API client in the Admin Console. For Authorization Code, ensure the code_verifier matches the code_challenge used during the authorization request. Tokens expire after 1 hour; implement refresh logic.
Error: 403 Forbidden
Cause: The token does not have the required scope, or the user identity lacks permission to access the specific resource.
Fix:
- Check the API client scopes in the Genesys Cloud Admin Console. Ensure
analytics:export:readorcall:readis added. - For user-specific data, verify that the logged-in user has the necessary role permissions (e.g., “Call Center Administrator” or “Supervisor”) to view the data.
Error: 429 Too Many Requests
Cause: You have exceeded the API rate limit.
Fix: Implement exponential backoff. Parse the Retry-After header from the 429 response. Do not retry immediately.
Error: Invalid Grant
Cause: In the Authorization Code flow, the code has already been used, expired, or the code_verifier does not match.
Fix: The authorization code is single-use. If you are debugging, generate a new code by visiting the auth URL again. Ensure the code_verifier stored in memory/session matches the one used to generate the challenge.