I’ve spent hours trying to figure out why the token exchange endpoint is rejecting our service account credentials when attempting to bridge two distinct Genesys Cloud organizations. We are developing a unified analytics dashboard for a client that requires data aggregation from both their primary US-East org and a secondary EU-West org. The integration is deployed as an AppFoundry Premium App, and we are strictly adhering to the multi-org OAuth guidelines outlined in the developer documentation.
The workflow involves the primary org’s service account initiating a request to /api/v2/oauth/token using the client_credentials grant type. The request includes the correct client_id, client_secret, and resource parameter pointing to the secondary organization’s API base URL. Despite verifying that the client_id matches the app registration in the secondary org and that the client_secret is current, the response consistently returns a 401 Unauthorized error with the message Invalid client credentials.
We have confirmed the following:
- The Premium App is installed and approved in both organizations.
- The service account in the primary org has the necessary API permissions to initiate the exchange.
- The secondary org’s app registration allows external token requests.
- Time synchronization is accurate across our servers (UTC).
Interestingly, manual testing via Postman using the same credentials works intermittently, suggesting a potential rate-limiting issue or a transient state on the authentication server side. However, our automated scripts fail 100% of the time. We are using the Genesys Cloud Node.js SDK version 4.12.0 for these requests. Has anyone encountered issues with cross-org token exchanges where the error message points to invalid credentials despite them being correct? Are there specific scopes required on the secondary org’s app registration that are not explicitly documented for this use case?