Trying to lock down a Genesys Cloud OAuth client for a specific BPO tenant using the division ID in the allowed_divisions array. The goal is multi-tenant isolation. We have three distinct divisions: BPO_A, BPO_B, and BPO_C. The client needs to only access BPO_A.
Created the client via the API with this payload:
{
"name": "BPO_A_Client",
"client_type": "confidential",
"allowed_divisions": [
"div_id_12345"
],
"redirect_uris": [
"https://app.bpo-a.com/callback"
]
}
The client created successfully. But when I try to get a token using client_credentials grant, I get a 401 Unauthorized. The error response is vague:
{
"errors": [
{
"code": "invalid_grant",
"message": "The authorization grant is invalid, expired, or revoked"
}
]
}
Checked the client secret. It’s correct. The division ID matches exactly what’s in the Genesys admin UI. Tried swapping the division ID with the master division ID. Token works fine. So the scoping logic is blocking it.
Is there a specific permission needed on the client itself to allow division scoping? Or does the application type matter? We’re using a standard web app client.
Also, noticed that if I remove the allowed_divisions field entirely, the token works but grants access to everything. That’s not acceptable. Need strict isolation.
Tried calling POST /oauth2/token with:
grant_type:client_credentialsclient_id:[our_id]client_secret:[our_secret]
No scope parameter sent. Maybe that’s the issue? Docs say scopes are optional for client credentials but required for some resources. What scope should I pass to make division scoping work? admin:all? That seems too broad.
Stuck on this. Need a working example of the exact JSON payload for token request when division scoping is active. Any help appreciated.