We are building a Node.js integration that needs to access resources across multiple tenant divisions without using admin-level scopes. The goal is to restrict the OAuth client to only read data from specific divisions (e.g., division-id-1, division-id-2).
I tried adding custom scopes in the developer portal, but Genesys Cloud doesn’t seem to support division-scoped OAuth clients out of the box. When I request a token with client_credentials, it returns a token with global read access if I include data:read.
Is there a way to enforce division restrictions at the API level? I tried using the x-gw-ims-org-id header, but that’s for the organization, not the division.
Here’s the token request payload:
{
"grant_type": "client_credentials",
"scope": "data:read"
}
And the response includes all divisions. I need a way to filter by division in the code or via API parameters. Any ideas on how to achieve this without writing a custom middleware to filter every response?