Client Credentials vs Authorization Code — which grant type for a server-side reporting app
What You Will Build
A Python module that authenticates to Genesys Cloud, executes a conversation analytics query, and returns paginated reporting data. The code demonstrates both OAuth 2.0 grant types to establish why Client Credentials is the mandatory choice for unattended server-side reporting.
Prerequisites
- Genesys Cloud OAuth Client (Confidential type)
- Required scopes:
analytics:conversation:view,oauth:client_credentials(oroffline_accessfor Authorization Code) - Python 3.9+ runtime
- External dependencies:
httpx==0.27.0,pydantic==2.5.0 - Genesys Cloud Python SDK:
genesyscloud>=2.20.0
Authentication Setup
OAuth 2.0 defines multiple grant types for different application architectures. A server-side reporting application runs without user interaction. It executes on a schedule, processes data, and writes to a warehouse. This architecture eliminates the possibility of user consent flows. The Client Credentials grant type is designed specifically for machine-to-machine authentication. The Authorization Code grant type requires a browser redirect, user login, and explicit consent. Using Authorization Code for a background reporting job introduces unnecessary complexity, requires persistent storage of refresh tokens, and violates the principle of least privilege when the application does not act on behalf of a specific user.
The following sections demonstrate both flows. You will see the exact HTTP request/response cycles, SDK initialization, token caching patterns, and error handling for each.
Implementation
Step 1: Client Credentials Flow Implementation
The Client Credentials flow exchanges a client ID and client secret for an access token. The endpoint is POST https://api.mypurecloud.com/api/v2/oauth/token. The request body must contain the grant type, client ID, and client secret. The required scope is oauth:client_credentials.
import httpx
import os
from typing import Optional
from pydantic import BaseModel, ValidationError
class OAuthTokenResponse(BaseModel):
access_token: str
token_type: str
expires_in: int
scope: str
async def fetch_client_credentials_token(
client_id: str,
client_secret: str,
base_url: str = "https://api.mypurecloud.com"
) -> OAuthTokenResponse:
"""
Authenticates using the Client Credentials grant type.
Required scope: oauth:client_credentials
"""
token_url = f"{base_url}/api/v2/oauth/token"
async with httpx.AsyncClient(timeout=10.0) as client:
try:
response = await client.post(
token_url,
data={
"grant_type": "client_credentials",
"client_id": client_id,
"client_secret": client_secret
},
headers={"Accept": "application/json"}
)
response.raise_for_status()
return OAuthTokenResponse(**response.json())
except httpx.HTTPStatusError as e:
if e.response.status_code == 401:
raise ValueError("Invalid client_id or client_secret.") from e
elif e.response.status_code == 403:
raise ValueError("OAuth client is disabled or lacks oauth:client_credentials scope.") from e
raise
except ValidationError as e:
raise ValueError(f"Invalid token response structure: {e}") from e
except Exception as e:
raise RuntimeError(f"Authentication request failed: {e}") from e
# Usage example
# token = asyncio.run(fetch_client_credentials_token("your_client_id", "your_client_secret"))
# print(token.access_token)
Expected Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 7200,
"scope": "oauth:client_credentials"
}
Error Handling Notes:
A 401 status indicates incorrect credentials or an unapproved OAuth client. A 403 status indicates the client lacks the oauth:client_credentials scope or the client is disabled in the admin console. The code raises descriptive exceptions instead of failing silently.
Step 2: Authorization Code Flow Implementation
The Authorization Code flow requires a redirect URI, user interaction, and a PKCE verifier for public clients. For server-side applications, this flow is architecturally incorrect. The following JavaScript example demonstrates the redirect handling required by this grant type. You will see why it does not belong in a cron job or background worker.
import http from 'http';
import crypto from 'crypto';
const CLIENT_ID = process.env.GENESYS_CLIENT_ID;
const REDIRECT_URI = 'http://localhost:3000/callback';
const AUTH_URL = 'https://login.mypurecloud.com/as/authorization.oauth2';
function generatePKCE() {
const codeVerifier = crypto.randomBytes(32).toString('base64url');
const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
return { codeVerifier, codeChallenge };
}
const { codeVerifier, codeChallenge } = generatePKCE();
const authParams = new URLSearchParams({
response_type: 'code',
client_id: CLIENT_ID,
redirect_uri: REDIRECT_URI,
scope: 'analytics:conversation:view offline_access',
code_challenge: codeChallenge,
code_challenge_method: 'S256'
});
const loginUrl = `${AUTH_URL}?${authParams.toString()}`;
console.log(`Open this URL in a browser: ${loginUrl}`);
const server = http.createServer((req, res) => {
const url = new URL(req.url, `http://localhost:3000`);
if (url.pathname === '/callback') {
const code = url.searchParams.get('code');
const error = url.searchParams.get('error');
if (error) {
console.error('Authorization failed:', error, url.searchParams.get('error_description'));
res.writeHead(400, { 'Content-Type': 'text/plain' });
res.end('Authorization failed.');
server.close();
return;
}
if (!code) {
res.writeHead(400, { 'Content-Type': 'text/plain' });
res.end('Missing authorization code.');
server.close();
return;
}
// Exchange code for token
const tokenData = new URLSearchParams({
grant_type: 'authorization_code',
client_id: CLIENT_ID,
code: code,
redirect_uri: REDIRECT_URI,
code_verifier: codeVerifier
});
const tokenReq = http.request({
hostname: 'api.mypurecloud.com',
path: '/api/v2/oauth/token',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'application/json'
}
}, (tokenRes) => {
let body = '';
tokenRes.on('data', chunk => body += chunk);
tokenRes.on('end', () => {
console.log('Token response:', body);
res.writeHead(200, { 'Content-Type': 'text/plain' });
res.end('Token acquired. Server closing.');
server.close();
});
});
tokenReq.on('error', (e) => {
console.error('Token exchange failed:', e.message);
res.writeHead(500, { 'Content-Type': 'text/plain' });
res.end('Token exchange failed.');
server.close();
});
tokenReq.write(tokenData.toString());
tokenReq.end();
} else {
res.writeHead(404);
res.end();
}
});
server.listen(3000, () => console.log('Redirect server listening on port 3000'));
Expected Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
"scope": "analytics:conversation:view offline_access"
}
Error Handling Notes:
The Authorization Code flow returns a refresh_token only when offline_access is requested. Managing refresh tokens requires persistent storage, expiration tracking, and retry logic for 401 responses during token exchange. This complexity is unnecessary for a reporting application that does not need user context.
Step 3: Analytics Query with Pagination and Retry Logic
The reporting endpoint /api/v2/analytics/conversations/details/query supports pagination via the pageSize and pageNumber parameters. The API returns a 429 status when rate limits are exceeded. Production code must implement exponential backoff and respect the Retry-After header. The required scope is analytics:conversation:view.
import time
import httpx
from typing import List, Dict, Any
async def fetch_analytics_data(
access_token: str,
query_payload: Dict[str, Any],
base_url: str = "https://api.mypurecloud.com",
max_retries: int = 3
) -> List[Dict[str, Any]]:
"""
Executes a conversation analytics query with pagination and 429 retry logic.
Required scope: analytics:conversation:view
"""
endpoint = f"{base_url}/api/v2/anversations/details/query"
headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json",
"Accept": "application/json"
}
all_results = []
page_number = 1
page_size = 100
has_more = True
async with httpx.AsyncClient(timeout=30.0) as client:
while has_more:
query_payload["pageNumber"] = page_number
query_payload["pageSize"] = page_size
retry_count = 0
while retry_count < max_retries:
try:
response = await client.post(
endpoint,
headers=headers,
json=query_payload
)
if response.status_code == 429:
retry_after = int(response.headers.get("Retry-After", 2 ** retry_count))
print(f"Rate limited. Retrying in {retry_after} seconds...")
await asyncio.sleep(retry_after)
retry_count += 1
continue
response.raise_for_status()
data = response.json()
# Process pagination
entities = data.get("entities", [])
all_results.extend(entities)
if len(entities) < page_size:
has_more = False
else:
page_number += 1
break # Success, exit retry loop
except httpx.HTTPStatusError as e:
if e.response.status_code == 401:
raise ValueError("Access token expired or invalid.") from e
elif e.response.status_code == 403:
raise ValueError("Missing analytics:conversation:view scope.") from e
elif e.response.status_code == 400:
raise ValueError(f"Invalid query payload: {e.response.text}") from e
else:
raise
except Exception as e:
raise RuntimeError(f"Request failed: {e}") from e
if retry_count == max_retries:
raise RuntimeError("Max retries exceeded due to rate limiting.")
return all_results
# Example query payload
# query = {
# "dateFrom": "2023-10-01T00:00:00.000Z",
# "dateTo": "2023-10-31T23:59:59.999Z",
# "interval": "PT1H",
# "groupBy": ["routing.queue.id"],
# "select": ["routing.queue.id", "routing.queue.name", "conversation.count"]
# }
Expected Response:
{
"page": 1,
"pageSize": 100,
"total": 250,
"firstUri": "/api/v2/analytics/conversations/details/query?dateFrom=...",
"lastUri": "/api/v2/analytics/conversations/details/query?dateFrom=...",
"entities": [
{
"routing": {
"queue": {
"id": "12345678-1234-1234-1234-123456789012",
"name": "Support Queue"
}
},
"conversation": {
"count": 145
}
}
]
}
Error Handling Notes:
The retry loop handles 429 responses by parsing the Retry-After header. If the header is missing, it falls back to exponential backoff. The pagination loop terminates when the returned entity count is less than the requested page size. Token expiration is caught explicitly to allow the caller to re-authenticate.
Complete Working Example
The following script combines the Client Credentials flow and the analytics query. It implements token caching, automatic refresh logic, and structured logging. Replace the placeholder credentials with your OAuth client values.
import asyncio
import os
import time
from typing import Dict, Any, Optional
import httpx
from pydantic import BaseModel
class CachedToken(BaseModel):
access_token: str
expires_at: float
class GenesysReportingClient:
def __init__(self, client_id: str, client_secret: str, base_url: str = "https://api.mypurecloud.com"):
self.client_id = client_id
self.client_secret = client_secret
self.base_url = base_url
self.token_cache: Optional[CachedToken] = None
self.http_client = httpx.AsyncClient(timeout=30.0)
async def get_valid_token(self) -> str:
current_time = time.time()
if self.token_cache and current_time < self.token_cache.expires_at - 60:
return self.token_cache.access_token
token_url = f"{self.base_url}/api/v2/oauth/token"
try:
response = await self.http_client.post(
token_url,
data={
"grant_type": "client_credentials",
"client_id": self.client_id,
"client_secret": self.client_secret
},
headers={"Accept": "application/json"}
)
response.raise_for_status()
data = response.json()
self.token_cache = CachedToken(
access_token=data["access_token"],
expires_at=current_time + data["expires_in"]
)
return self.token_cache.access_token
except httpx.HTTPStatusError as e:
if e.response.status_code == 401:
raise ValueError("Invalid credentials.") from e
if e.response.status_code == 403:
raise ValueError("OAuth client lacks required scope.") from e
raise
async def run_analytics_query(self, query_payload: Dict[str, Any]) -> list:
token = await self.get_valid_token()
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
"Accept": "application/json"
}
endpoint = f"{self.base_url}/api/v2/analytics/conversations/details/query"
all_results = []
page_number = 1
page_size = 100
max_retries = 3
while True:
query_payload["pageNumber"] = page_number
query_payload["pageSize"] = page_size
retry_count = 0
while retry_count < max_retries:
try:
response = await self.http_client.post(endpoint, headers=headers, json=query_payload)
if response.status_code == 429:
wait_time = int(response.headers.get("Retry-After", 2 ** retry_count))
await asyncio.sleep(wait_time)
retry_count += 1
continue
response.raise_for_status()
data = response.json()
entities = data.get("entities", [])
all_results.extend(entities)
if len(entities) < page_size:
return all_results
page_number += 1
break
except httpx.HTTPStatusError as e:
if e.response.status_code == 401:
self.token_cache = None
token = await self.get_valid_token()
headers["Authorization"] = f"Bearer {token}"
continue
raise
if retry_count == max_retries:
raise RuntimeError("Rate limit exceeded after maximum retries.")
async def close(self):
await self.http_client.aclose()
async def main():
client_id = os.getenv("GENESYS_CLIENT_ID")
client_secret = os.getenv("GENESYS_CLIENT_SECRET")
if not client_id or not client_secret:
raise EnvironmentError("GENESYS_CLIENT_ID and GENESYS_CLIENT_SECRET must be set.")
async with GenesysReportingClient(client_id, client_secret) as client:
query = {
"dateFrom": "2023-11-01T00:00:00.000Z",
"dateTo": "2023-11-30T23:59:59.999Z",
"interval": "PT1H",
"groupBy": ["routing.queue.id"],
"select": ["routing.queue.id", "routing.queue.name", "conversation.count"]
}
results = await client.run_analytics_query(query)
print(f"Retrieved {len(results)} analytics records.")
for record in results[:3]:
print(record)
if __name__ == "__main__":
asyncio.run(main())
Common Errors & Debugging
Error: 401 Unauthorized
- Cause: The OAuth client ID or secret is incorrect, the client is disabled, or the access token has expired.
- Fix: Verify credentials in the Genesys Cloud admin console under Platform > OAuth. Ensure the
oauth:client_credentialsscope is enabled. Implement token caching with a 60-second expiration buffer to prevent mid-request expiry. - Code Fix: The
GenesysReportingClientclass automatically clears the cache and re-authenticates on401responses during API calls.
Error: 403 Forbidden
- Cause: The OAuth client lacks the
analytics:conversation:viewscope, or the client does not have the necessary role permissions to access reporting data. - Fix: Navigate to Platform > OAuth and add
analytics:conversation:viewto the client scopes. Assign the OAuth client to a security role that includes the Analytics: View permission. - Code Fix: The script raises a descriptive
ValueErrorto prevent silent failures.
Error: 429 Too Many Requests
- Cause: The application exceeded the Genesys Cloud API rate limits. Reporting endpoints typically allow 10 requests per second per tenant.
- Fix: Implement exponential backoff and respect the
Retry-Afterheader. Reduce query frequency by aggregating data locally before re-querying. - Code Fix: The
run_analytics_querymethod includes a retry loop that parsesRetry-Afterand falls back to2 ** retry_countseconds.
Error: 502 Bad Gateway / 504 Gateway Timeout
- Cause: Temporary infrastructure issues or oversized query payloads causing backend timeouts.
- Fix: Narrow the
dateFromanddateTorange. Reduce the number ofselectfields. Implement circuit breaker patterns for production workloads. - Code Fix: The
httpxclient uses a 30-second timeout. Adjust based on payload size and network latency.