Could someone clarify why the token refresh endpoint returns a 403 Forbidden error specifically for secondary orgs in our multi-org OAuth configuration? We are using the latest platform SDK v2.1. The primary org tokens refresh without issue, but secondary tenants consistently fail with insufficient_scope. Verified all scopes are granted in the AppFoundry portal. Any insights on scope inheritance or tenant-level restrictions?
Check your tenant_id mapping in the OAuth config, because GC treats each org as a separate tenant unlike Zendesk’s unified view. The secondary org likely needs its own explicit scope assignment rather than inheriting from the primary.