We recently migrated our org to use SAML SSO for all user authentication. The login page redirects to our IdP correctly, and agents can log in without issue. However, our backend services that rely on the OAuth client credentials grant to fetch data via the /api/v2/… endpoints are now failing with a 401 Unauthorized error.

The error response is pretty generic:

{
“errors”: [
{
“code”: “invalid_grant”,
“message”: “Client authentication failed”
}
]
}

Here is the Python snippet we use to get the token:

import requests

def get_access_token(client_id, client_secret):
url = “https://api.mypurecloud.com/oauth/token”
payload = {
“grant_type”: “client_credentials”,
“scope”: “api”
}
headers = {
“Content-Type”: “application/x-www-form-urlencoded”
}

Basic Auth for client credentials

auth = (client_id, client_secret)
response = requests.post(url, data=payload, headers=headers, auth=auth)
return response.json()

We’ve verified that the client_id and client_secret are correct by checking the Integrations settings in the admin console. The app still has the “Read-only” permission set. We also tried adding the “offline_access” scope, but that didn’t change anything.

I’m wondering if enabling SAML SSO implicitly disables the client credentials grant for security reasons, or if there’s a specific configuration step in the SAML settings that we missed. The docs mention that SAML affects user login, but I haven’t seen anything about it breaking machine-to-machine auth.

Has anyone else run into this after a SAML migration? We need a quick fix since our reporting dashboards are down.