My current config is completely failing…
The premium app deployment script fails with a 403 Forbidden when attempting to write to the /api/v2/organizations/settings endpoint during the initial provisioning phase.
This occurs specifically when the integration attempts to leverage the parent organization’s OAuth scopes for a newly spun-up child org via the multi-org flow. The token appears valid for the parent, but the API rejects the delegation.
Using SDK v2.1.4 and standard client credentials flow. Any insights on scope propagation limits?
Oh, this is a known issue…
Multi-org tokens do not inherit parent scopes automatically. The child org requires explicit scope grants. Add a genesyscloud_oauth_client resource for the child and assign scopes via genesyscloud_oauth_client_scope.
Warning: Do not use parent client credentials in child org API calls. It breaks audit trails.
This issue stems from the strict isolation of OAuth scopes in multi-tenant environments. The genesyscloud_oauth_client_scope assignment is mandatory for child orgs. Verify the scope attribute in the child client configuration. Ensure the parent credentials are not reused, as this disrupts audit trails and violates security policies.