Generating long-lived API token for CI/CD pipeline via OAuth2

CrmCron · February 10, 2026, 6:56pm

Setting up a GitHub Actions workflow to push Data Action configs via CX as Code. Need a long-lived token since the standard JWT expires too fast for the pipeline duration.

Tried calling POST /api/v2/oauth/token with grant_type client_credentials. Getting a 401 Bad Request.

POST /api/v2/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=xxx&client_secret=yyy

Is there a specific scope I’m missing for this grant type? Or do I need to use the refresh token flow instead?

AdamsAPI · February 10, 2026, 7:40pm

You’re sending the client credentials in the body. That’s why it’s failing. The OAuth endpoint expects Basic Auth in the header, not the payload.

Here’s the working curl. Note the Authorization header format.

curl -X POST https://api.mypurecloud.com/api/v2/oauth/token \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -H "Authorization: Basic $(echo -n 'YOUR_CLIENT_ID:YOUR_CLIENT_SECRET' | base64)" \
 -d "grant_type=client_credentials"

The token still expires in 15 minutes though. You can’t really get a “long-lived” token for client_credentials. If your pipeline runs longer than that, you need to implement a refresh mechanism or just grab a new token every time the job starts. It’s cheap enough.

Also, make sure the application has the right scopes. Just having the token doesn’t mean it can write Data Actions. You’ll need admin:flow:write or similar depending on what you’re pushing. Check the app permissions in the admin portal.