Does anyone know how to enforce division-level scope on a Genesys Cloud OAuth client for multi-tenant BPO access?
Background
We are building a service that needs to act on behalf of agents across multiple divisions. The current implementation uses a standard client credentials flow.
Issue
The token grants access to all divisions by default. We need to restrict it to specific division IDs. The /api/v2/oauth/clients endpoint does not expose a division_ids field in the request body.
client.create_oauth_client(
name="bpo-integration",
grant_type="client_credentials",
# No division scoping option here
)
Troubleshooting
- Verified
api.v2.oauthpermission on the client. - Checked if
divisionheader in requests affects token scope. It does not. - Confirmed that role assignments are correct per division.