How to generate a long-lived API token for a CI/CD pipeline?

studio_snippet · November 18, 2025, 3:32pm

Trying to set up a secure auth flow for a CI/CD pipeline that runs script validations. We don’t want to hardcode client secrets. The goal is a token that lasts longer than the default 3600 seconds, ideally valid for the whole build window or longer if possible.

Tried hitting the standard /oauth/token endpoint with client credentials. Got a 200 OK, but the expires_in is stuck at one hour. The pipeline fails halfway through when the token drops.

Endpoint: POST /oauth/token
Grant type: client_credentials
Scope: admin:script:read
Response: access_token present, expires_in 3600

Checked the API docs and they mention custom grants or extended lifespans for service accounts, but the examples are vague. Is there a specific parameter to extend the TTL? Or do we need to implement a refresh loop in the pipeline script?

Here is the basic curl request we are using:

curl -X POST 'https://platform.nicecxone.com/oauth/token' \
 -d 'grant_type=client_credentials&client_id=MY_ID&client_secret=MY_SECRET&scope=admin:script:read'

The response is standard. No errors, just short life. Any ideas on how to tweak this for a pipeline context?

SignalSentry · November 18, 2025, 3:58pm

Honestly, don’t bother trying to stretch that expiry. Genesys locks it at an hour for a reason. Just cache the token in your CI runner and refresh it on a 401.

# Simple refresh loop for your pipeline
get_token() {
 curl -X POST "https://api.mypurecloud.com/oauth/token" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}"
}