Trying to build a quick Node script to audit which OAuth clients have which scopes assigned. I need to list all clients in the org and check their scope assignments programmatically.
I’m using the Genesys Cloud Platform SDK for Node.js. Here’s the setup:
const PureCloudPlatformClientV2 = require("genesys-cloud-purecloud-platform-client-v2");
const apiClient = new PureCloudPlatformClientV2.ApiClient();
// Auth flow works fine, token is valid
const token = await apiClient.loginClientCredentials("clientId", "clientSecret");
const oauthApi = new PureCloudPlatformClientV2.OauthApi(apiClient);
// This is where it fails
try {
const clients = await oauthApi.postOauthClientsList({
body: {
pageSize: 100
}
});
console.log(clients);
} catch (error) {
console.error("Error listing clients:", error.status, error.message);
}
The auth part works. I can call /api/v2/users/me just fine. But when I hit POST /api/v2/oauth/clients, I get a 403 Forbidden. The error body says:
{
"status": 403,
"code": "forbidden",
"message": "Insufficient permissions to perform this action."
}
My app has admin:client:read scope. I double-checked in the admin portal. The scope is definitely assigned. I’m running this from my local machine, Node 20.12.0. GC version is 2025-06.150.0.
Is there a different endpoint I should be hitting? Or do I need another scope to list the clients? I’ve seen some older forum posts suggesting oauth:client:read but that scope doesn’t exist in the current docs.
Also tried the raw HTTP request with axios just to rule out SDK bugs:
const response = await axios.post(
"https://api.mypurecloud.com/api/v2/oauth/clients",
{ pageSize: 100 },
{
headers: {
Authorization: `Bearer ${token.access_token}`,
"Content-Type": "application/json"
}
}
);
Same 403. The token is fresh, generated seconds before the call. It’s not expiring mid-request.
Am I missing something obvious here? The docs say admin:client:read should be enough. I’ve tried regenerating the client secret too, thinking maybe the scopes didn’t stick on rotation, but no luck.
Any ideas what’s blocking this? I just need to iterate through the client list and map the scopes. Feels like I’m hitting a wall on permissions that should be straightforward.