Building a custom messaging channel via the DFO API. Need to handle auth server-side for the bot backend. Trying to grab a token using client_credentials. The docs say it’s supported for API access, but I keep hitting a wall.
Here’s the payload I’m POSTing to /api/v2/oauth/token:
grant_type=client_credentials&client_id=MY_ID&client_secret=MY_SECRET
Content-Type is application/x-www-form-urlencoded. The response comes back immediately with a 403 Forbidden:
{
"code": "forbiddenException",
"message": "Client is not authorized to use grant type client_credentials."
}
I’ve verified the ID and secret multiple times. The client has all the default scopes. I can get tokens fine using password grant with a service account, but that’s a security nightmare for a long-running bot process. Do I need to request specific permissions on the OAuth client resource in the admin console? Or is client_credentials simply blocked for DFO integrations? Checked the API docs again, nothing explicitly says it’s disabled, but the error is pretty clear. Stuck on this for a day. Need to know if I’m missing a config flag or if the grant type is genuinely unavailable for this use case.