Genesys Cloud OAuth Client: Division Scoping for Multi-Tenant BPO

NICE CXone API & Integrations
1

Configuring a new OAuth client for a multi-tenant BPO setup. Each tenant maps to a specific division. The goal is to restrict the client’s access to only those divisions without hardcoding IDs in the app logic.

The client is created via the PlatformClient:

const client = PlatformClient.create({
 clientId: process.env.CLIENT_ID,
 clientSecret: process.env.CLIENT_SECRET,
 baseUrl: 'https://api.mypurecloud.com'
});

The client gets assigned to a user with divisionId set. However, when calling client.users.getUsers(), it returns all users regardless of the division scope. The token seems to ignore the division filter.

Is there a specific permission or configuration step to enforce division-level scoping on the client itself? The docs mention division awareness but don’t clarify how to lock a client to a subset of divisions.

2

The division scoping happens at the client creation level, not in individual API calls. You’ll need to pass the divisions array when initializing the SDK client. This restricts all subsequent calls to those specific divisions automatically.

Here’s the correct configuration:

const client = PlatformClient.create({
 clientId: process.env.CLIENT_ID,
 clientSecret: process.env.CLIENT_SECRET,
 baseUrl: 'https://api.mypurecloud.com',
 divisions: [process.env.TENANT_DIVISION_ID] // Pass the specific division ID here
});

If you don’t set this, the client defaults to self or global scope depending on the token, which breaks multi-tenant isolation. You can verify the active division by checking the response headers on any GET call. Look for the X-Division header.

One thing to watch out for. The OAuth token itself doesn’t carry division restrictions. The SDK enforces this by appending the division ID to the request parameters or headers. If you’re using raw HTTP calls instead of the SDK, you’ll need to add ?divisionId=<id> to every endpoint that supports it.

Make sure the token has the right scopes. division:read isn’t enough. You need the specific resource scopes like routing:queue:read or conversation:read. The division filter applies on top of those permissions.