We’re setting up a Terraform pipeline to manage our Genesys Cloud infrastructure. Currently, the CI runner is using a static client_id and client_secret to grab an OAuth token at the start of every job. It works, but the token expires in 3600 seconds. If a deployment takes longer than an hour, or if there’s a retry loop, the token dies and the build fails with a 401 Unauthorized. Rotating secrets every hour in our vault is a pain. We need a more stable auth method for the pipeline.
I looked into the /api/v2/oauth/token endpoint. The standard grant_type=client_credentials gives me the short-lived token. I tried adding a custom scope or tweaking the request body, but nothing changes the expiry.
Here’s the curl command I’m running in the pipeline script:
curl -X POST https://api.mypurecloud.com/api/v2/oauth/token
-H ‘Content-Type: application/x-www-form-urlencoded’
-d ‘grant_type=client_credentials&client_id=my_client_id&client_secret=my_secret’
The response comes back with:
{
“access_token”: “eyJhbGci…”,
“token_type”: “bearer”,
“expires_in”: 3600,
“scope”: “platform:full”
}
Is there a way to get a longer-lived token via the API? Or is there a different endpoint I should be hitting? I saw some docs mentioning JWT signing keys, but that seems like overkill for a simple Terraform apply. We don’t want to expose private keys in the pipeline logs.
I also tried using a refresh token flow, but client_credentials doesn’t support refresh tokens. That’s a dead end.
Any ideas on how to handle this cleanly? We’ve considered using a service account with a long-lived API key, but I can’t find an endpoint that generates those programmatically. The UI lets you create them, but we need this to be reproducible in code.
Thanks for any pointers.