Need to audit our OAuth clients. We’ve got about 40 integrations running and the admin UI is a pain to click through for each one. Trying to script a check against /api/v2/oauth/clients to dump the client IDs and their assigned scopes into a CSV. The list endpoint works fine, returns a 200 with the client objects. But the scope data is missing from the response payload. I assumed the scopes would be nested in the client object like they are in the UI, but they’re not there.
GET /api/v2/oauth/clients
Authorization: Bearer <access_token>
Accept: application/json
The response looks like this:
{
"entities": [
{
"id": "abc-123-def",
"name": "Legacy IVR Connector",
"description": "Old IVR system",
"clientType": "CONFIDENTIAL",
"enabled": true
}
]
}
No scopes field. I tried hitting the individual client endpoint /api/v2/oauth/clients/{clientId} thinking maybe the list view is stripped down. Same result. The full client object doesn’t include the scopes. I checked the Swagger docs for the OAuth API section. There’s no endpoint like /api/v2/oauth/clients/{id}/scopes. It’s weird. I can see the scopes in the UI under the client settings, so the data exists. How am I supposed to get this programmatically? Are we supposed to parse the JWT token for each active session to infer the scopes? That seems insane. Or is there a different API path I’m missing? I’ve been staring at the docs for an hour and I’m coming up empty. It feels like a gap in the API coverage for admin tasks. We need to rotate keys soon and I can’t do it blind. Anyone have a workaround or am I stuck clicking through the UI manually? This is frustrating.