I can’t seem to figure out why the token exchange endpoint returns a 403 Forbidden specifically when attempting to validate scopes for a secondary organization within our multi-org AppFoundry integration. The primary org authenticates without issue using admin:org:read and user:chat:write, but the secondary org fails at the /api/v2/oauth/token stage. We are using the genesys-cloud-purecloud-platform-client SDK version 2.24.0 in a Node.js environment deployed to US1. The error payload indicates "error": "invalid_scope" with the message "The requested scope 'integration:appfoundry:manage' is not authorized for this client.". This is puzzling because the OAuth client ID is explicitly granted these permissions in the secondary org’s admin console, and we have verified the redirect URI matches the AppFoundry manifest exactly. The integration passes all local validation checks before deployment. We suspect this might be related to the asynchronous propagation of scope changes across the platform API, but the delay exceeds the expected 15-minute window. Has anyone encountered scope latency issues specific to the integration:appfoundry:manage scope during cross-org deployments? Any insights into the internal validation logic for this specific scope would be appreciated.
This is typically caused by the token scope not being explicitly granted for the secondary organization’s specific client credentials. when using the purecloud sdk in a multi-org setup, the default token often only applies to the primary org context unless you explicitly handle the org_id parameter during the exchange.
the issue isn’t the sdk version itself, but rather how the oauth client is initialized. you need to ensure the client_id and client_secret being used are associated with an integration that has the correct scopes enabled for that specific secondary org. also, check if the integration is set to ‘global’ or ‘per-org’. if it’s per-org, the token from the primary org won’t validate scopes for the secondary one.
try updating your initialization code to explicitly pass the org_id when requesting the token. here is a quick snippet showing how to adjust the configuration:
const platformClient = require('genesys-cloud-purecloud-platform-client');
const auth = platformClient.AuthApi();
// ensure you are using the correct client id for the secondary org
const clientId = 'YOUR_SECONDARY_ORG_CLIENT_ID';
const clientSecret = 'YOUR_SECONDARY_ORG_CLIENT_SECRET';
const orgId = 'SECONDARY_ORG_ID';
const tokenResponse = await auth.postOAuthToken({
body: {
grant_type: 'client_credentials',
scope: 'admin:org:read user:chat:write',
org_id: orgId // critical for multi-org scope validation
},
headers: {
'Authorization': `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`
}
});
also, verify that the integration in the secondary org’s admin console actually has the ‘admin:org:read’ scope toggled on. sometimes the primary org has it but the secondary one doesn’t, leading to that 403. it’s a common oversight when cloning integrations across orgs. double check the integration settings in the secondary org’s admin portal under integrations > oauth.