Trying to audit our OAuth setup programmatically. We’ve got a bunch of integrations and I need to verify which clients have specific scopes assigned without clicking through the admin console for each one.
I found the endpoint GET /api/v2/oauth/clients in the docs. It seems straightforward. I’m hitting it with a valid bearer token from a service account that has admin:oauth_client:view scope. The request succeeds with a 200 OK, but the response body is just { "pageSize": 25, "pageNumber": 1, "pageCount": 1, "total": 0, "entities": [] }.
That can’t be right. We definitely have clients registered. I checked the admin UI and there are about 12 active clients there.
Here’s the curl command I’m running:
curl -X GET "https://api.mypurecloud.com/api/v2/oauth/clients" \
-H "Authorization: Bearer <valid_token>" \
-H "Content-Type: application/json"
I’ve also tried adding query params like ?active=true or ?pageSize=100, but the result is always an empty entities array. The token itself works fine for other endpoints like GET /api/v2/users/me, so auth isn’t the issue.
Is there a specific scope requirement I’m missing on the service account? The docs mention admin:oauth_client:write for creating clients, but view should be enough for reading. Or is this endpoint deprecated and I need to use something else?
I’ve looked through the recent API changelogs and didn’t see any mention of this endpoint being removed or restricted. It’s frustrating because the documentation doesn’t list any known issues with empty results.
Maybe I need to use a different endpoint? I saw some references to GET /api/v2/oauth/clients/{clientId} but that requires knowing the ID beforehand, which defeats the purpose of listing them all.
Anyone else hit this wall? Or am I just missing a basic config step on the service account side? The timezone is America/Mexico_City if that matters for any caching weirdness, though I doubt it.
Here is the full response headers just in case:
HTTP/1.1 200 OK
Content-Type: application/json
X-Request-Id: 8f3a2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c
Nothing in the headers suggests a permission error. Just an empty list. It’s probably something stupid I’m overlooking but I’ve stared at this for an hour and need a fresh pair of eyes.