Trying to set up a long-lived API token for our CI/CD pipeline to deploy WEM rules via Terraform, but the POST /api/v2/oauth/token call keeps returning a 403 Forbidden error. The client ID and secret are correct, and I’ve verified the associated application has the necessary permissions.
POST /api/v2/oauth/token
{
"grant_type": "client_credentials",
"client_id": "my-client-id",
"client_secret": "my-secret"
}
Is there a specific scope I’m missing for automation?
403 on client_credentials usually isn’t about the credentials themselves being wrong. It’s almost always an Application Permission issue in the Genesys Cloud admin console.
You need to go to Admin > Integrations > Applications, pick your app, and check the Permissions tab. Just having “access” isn’t enough. You need specific scopes. For WEM deployments via Terraform, you likely need analytics:reports:read or flows:read depending on exactly what the provider is hitting.
Also, check if your org has Application Approval enabled. If it is, the token request will fail until an admin approves the specific client ID in the Admin > Integrations > Applications > Approvals queue. It’s easy to miss that step.
If those are clear, try adding the scope parameter to your POST body. The API doesn’t always infer it correctly from the app config in automated pipelines.
curl -X POST https://api.mypurecloud.com/api/v2/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=YOUR_ID&client_secret=YOUR_SECRET&scope=analytics:reports:read flows:read"
If that still 403s, check the Audit Logs for that specific client ID. It’ll tell you exactly which scope was denied.
That 403 is likely a scope mismatch. Check the Application permissions tab. You need integrations:app:write for Terraform deployments.