We are building a server-side reporting service to pull WEM adherence metrics every minute for 500 agents. The app runs on an AWS Lambda function, so there is no user interaction. It just needs to authenticate and fetch data.
I have been using Client Credentials Grant in our Python script. It works fine for getting the token.
import requests
url = "https://api.mypurecloud.com/oauth/token"
payload = {
"grant_type": "client_credentials",
"client_id": "MY_CLIENT_ID",
"client_secret": "MY_CLIENT_SECRET"
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(url, data=payload, headers=headers)
token = response.json()["access_token"]
The problem is when I use that token to call /api/v2/analytics/wem/metrics/queues. I get a 403 Forbidden error. The error message says insufficient_scope.
I read the docs. It says Client Credentials gives you app permissions. But WEM data is tied to users. The app needs to act on behalf of the agents or supervisors to see their data. Or does it?
I tried switching to Authorization Code Grant. But that requires a user to log in. We don’t want users logging in just to run a report. We want the Lambda to run automatically.
Is there a way to use Client Credentials for WEM? Or do I have to use Service Accounts with specific permissions? I saw something about wem:view permission. But adding that to the app doesn’t seem to fix the 403.
Also, the token expires in an hour. We are calling the API every minute. We should cache the token. But if it fails, we need to retry. The retry logic is messy.
What is the best practice here? Should we use a different grant type? Or is there a permission set I am missing?
The Lambda runs in US/Pacific timezone. We need the data to be accurate for PST. The API returns UTC. We convert it in code. That part is fine.
Just need the auth to work. Currently stuck on the 403.