Trying to script a token refresh for a headless integration. Using the client_credentials grant type against https://api.cxone.com/api/v2/oauth/token.
Here’s the curl command:
curl -X POST "https://api.cxone.com/api/v2/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=MY_CLIENT_ID&client_secret=MY_SECRET"
Getting back a 403 Forbidden. The response body is just:
{
"message": "Access denied."
}
The client ID and secret are correct. I generated them in the Developer Console. The scope is set to full in the app settings. I’ve tried adding scope=full to the body payload too, same result.
Is there a specific permission on the API user that needs to be toggled for this grant type? Or is the endpoint different for CXone vs Genesys Cloud? The docs are a bit muddy on that distinction.
Here is the raw request dump:
POST /api/v2/oauth/token HTTP/1.1
Host: api.cxone.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=abc123&client_secret=xyz789
Nothing in the logs on our end. Just the 403.