Trying to get a simple server-to-server auth working for CXone. We’ve got the OAuth client ID and secret from the admin portal, but every POST to the token endpoint comes back with a 401 Unauthorized. The error payload is generic, just saying invalid credentials, but we’ve triple-checked the secrets. No typos. No extra spaces.
Here’s the raw curl command we’re running from a local Linux box:
curl -X POST 'https://api.cxone.com/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=MY_CLIENT_ID&client_secret=MY_SECRET'
The response is:
{
"error": "invalid_client",
"error_description": "Client authentication failed"
}
We’ve tried URL-encoding the secret manually, but that shouldn’t matter since curl handles the form data. Tried adding the client_id and secret as basic auth headers too, just in case the CXone docs are misleading about form data. Still 401.
Is there a specific scope required for client_credentials? The docs don’t list any, but maybe we’re missing a permission on the OAuth client itself? We’ve enabled the “API” access type in the CXone admin UI.
Also, is the endpoint correct? We’re using api.cxone.com. Some older posts mention api.niceincontact.com. Tried that too, same result.
What’s the exact format expected? We’re not using any SDK, just raw HTTP. Feels like we’re missing something stupid, but nothing works. Help.