We’re building a multi-tenant BPO dashboard and need to isolate data by division. The standard OAuth client seems to pull everything, which is a security risk.
I tried adding division_id to the token request but it just gets ignored.
POST /oauth/token
{
"grant_type": "client_credentials",
"client_id": "xyz",
"client_secret": "abc",
"division_id": "123"
}
Is there a specific scope or API call to restrict the token to a single division?