Does anyone know the correct sequence for handling token refresh failures when a Genesys Cloud Premium App operates across multiple organizations with distinct OAuth scopes? Our integration utilizes the standard authorization code flow with PKCE, but we are encountering intermittent authentication breakdowns during the token refresh phase.
The application maintains separate OAuth tokens for each connected Genesys Cloud organization. When the access token expires, the refresh mechanism triggers, but the subsequent request to /oauth2/token returns a 401 Unauthorized error. This occurs specifically when the refresh token was issued under a different organization context than the one currently being accessed, despite the client ID and secret remaining consistent across the multi-org setup.
The error payload is as follows:
{
"error": "invalid_grant",
"error_description": "The refresh token has been revoked or expired."
}
We are using the Genesys Cloud Java SDK version 13.2.0 and have verified that the refresh tokens are being stored securely and are not expired prematurely. The issue appears to stem from the scope mismatch between the initial authorization grant and the subsequent refresh request. The initial grant includes admin:users:read and routing:agents:write, but the refresh request seems to be rejecting the token due to a perceived scope violation.
Has anyone encountered similar issues with multi-org OAuth token management? We are looking for best practices on how to structure the refresh logic to avoid these 401 errors. Specifically, we need to understand if the refresh token is tied to a specific organization context or if it is global across the AppFoundry partner account. Any insights into the expected behavior of the OAuth server in this scenario would be greatly appreciated. We are aiming to ensure seamless authentication across all connected organizations without manual intervention.