How do I actually scope an OAuth client to specific divisions when building a multi-tenant BPO integration? The docs hint at it, but the implementation details are sparse. I’m trying to isolate access for different BPO clients using their own OAuth clients. Each client should only see their own queues and users. I set up the OAuth client in the admin console and checked the “Divisions” box to restrict access. But when I use the JS SDK to authenticate with that client, it still pulls data from all divisions. The getQueues method returns queues from other tenants. I’ve verified the access token payload. The division_ids claim is present and correct. But the API calls ignore it. I’m using the standard Client.init flow. Here’s the setup:
const client = PlatformClient.init({
clientId: 'my-restricted-client-id',
clientSecret: 'secret',
basePath: 'https://api.mypurecloud.com'
});
await client.login();
const queues = await client.queues.getQueues({
expand: ['members']
});
The response contains queues from divisions not in the client’s scope. I tried passing divisionId in the request options. It works for filtering, but I want the client itself to be restricted. I don’t want to rely on client-side filtering. That’s a security risk. I checked the raw HTTP request. No division header is sent. I assumed the SDK would handle this based on the client config. Am I missing a config option? Or is the division scoping only enforced on certain endpoints? I need a programmatic way to enforce this boundary. The current behavior defeats the purpose of having restricted OAuth clients. I’m running the latest SDK version. Any ideas on how to make the SDK respect the client’s division scope?