Trying to lock down a specific OAuth client to a single division for our BPO partners. We need the token to only see resources in divisionId: bpo-client-a. I’ve set the division_ids field in the client creation payload, but the resulting token still returns data from the global division when I hit /api/v2//queues. Here’s the client config I’m sending to /api/v2/oauth/clients:
{
"name": "BPO Client A Integration",
"type": "CONFIDENTIAL",
"division_ids": ["bpo-client-a"],
"redirect_uris": ["https://internal.bpo.example/callback"]
}
The client creates fine. I grab the token via client_credentials flow. Then I call GET /api/v2//queues. I expect an empty list or a 403. Instead, I get every queue in the tenant. Am I missing a specific scope or is the division_ids field on the client object just metadata? The docs are vague on whether this enforces read-only restrictions automatically.
You’re hitting the division scope, but global resources bypass that filter by default. The /api/v2/queues endpoint returns everything unless you pass divisionId explicitly in the query params. The client config is fine, just add ?divisionId=bpo-client-a to your request. Terraform can’t change that API behavior.
Cause: The OAuth client’s division_ids list doesn’t act as a hard filter for GET requests. It just defines which divisions the token can access. If you don’t specify a division in the query string, the API defaults to returning global resources plus everything in the allowed list. That’s why you’re seeing the global queues.
Solution: You have to explicitly pass the divisionId parameter in your request. The client config is fine, but the request needs to be scoped.
GET /api/v2/queues?divisionId=bpo-client-a
Authorization: Bearer <your_token>
If you’re using the PureCloud SDK, it’s cleaner to use the builder pattern so you don’t have to manually construct query strings.
const platformClient = require('genesys-cloud-purecloud-platform-client');
const Api = platformClient.Api;
const Api = new Api();
const result = await Api.queuesGetQueues({
divisionId: 'bpo-client-a'
});
This forces the API to only return resources in that specific division. If you leave it off, you get the union of global and allowed. Just scope it in the call.