How do you actually restrict an OAuth client to specific divisions when running a multi-tenant BPO setup? I’ve got a custom integration script that needs to pull contact data, but it’s currently hitting all divisions by default. We need it locked down to just the us-central-bpo and us-west-support divisions.
I tried updating the client via the Platform API, but the docs are vague on the division structure. Here’s the payload I sent to PUT /api/v2/oauth/clients/{id}:
{
"name": "BPO Contact Sync",
"clientType": "confidential",
"divisionId": "us-central-bpo",
"divisions": [
{
"divisionId": "us-central-bpo",
"enabled": true
},
{
"divisionId": "us-west-support",
"enabled": true
}
]
}
The request returns a 200 OK, but when I generate a token using POST /api/v2/oauth/token, the resulting access token still seems to have global scope. I tested it by calling GET /api/v2/contact-center/contacts and it returned contacts from the emea-sales division, which definitely shouldn’t be accessible.
Is the divisions array the right place to set this? Or do I need to use the divisionIds field on the client itself? I noticed some older forum posts mentioning allowedDivisions, but that doesn’t seem to be in the current OpenAPI spec.
Also, should I be using the scope parameter in the token request to limit this? I tried adding contactcenter:read with a specific division query param, but that got rejected with a 400 Bad Request.
curl -X POST https://api.mypurecloud.com/api/v2/oauth/token \
-H 'Authorization: Basic {encoded_creds}' \
-d 'grant_type=client_credentials&scope=contactcenter:read'
Any ideas on how to properly scope this without manually filtering responses in the script? That’s a performance killer for large datasets.