We’re trying to set up a dedicated OAuth client for our multi-tenant BPO environment. The goal is to restrict the client’s access to specific divisions so each BPO partner only sees their own data. I’ve created the client via the Admin UI and checked the ‘Scopes’ section, but there’s no obvious way to bind it to a division ID. I tried passing the divisionId in the token request body, but that just gets ignored.
Here’s the request I’m sending to the authorization endpoint:
POST /oauth/token
{
"grant_type": "client_credentials",
"client_id": "my-bpo-client-id",
"client_secret": "super-secret-key",
"division_id": "d-12345-tenant-a"
}
The response comes back with a valid access token, but when I use that token to fetch users (GET /api/v2/users), it returns users from ALL divisions, not just the one specified. I’ve also tried setting the X-Genesys-App-Id header, but that didn’t change anything. The token itself looks fine, just too permissive.
I’ve checked the docs on division scoping, but it’s vague about whether this is handled at the client creation level or the token request level. Is there a specific API call to assign divisions to a client? Or am I missing a scope parameter? We need this tight control for compliance. Right now, Partner A can see Partner B’s agents, which is a no-go. Any ideas on how to actually enforce this boundary at the OAuth level?