OAuth2 Client Credentials flow returning 401 Invalid Grant with Python requests

NICE CXone API & Integrations
1

Running into a wall trying to get a simple access token from Genesys Cloud using the OAuth2 Client Credentials grant type in Python. The goal is to build a lightweight service account handler for our backend analytics jobs, so I’m avoiding the overhead of the full genesyscloud SDK for this specific task.

I’m using the standard requests library to hit the /oauth/token endpoint. The endpoint itself seems correct (https://api.mypurecloud.com/oauth/token), and I’ve double-checked that the client ID and secret match what’s in the Genesys Cloud admin console under Security > API.

Here is the snippet:

import requests

url = "https://api.mypurecloud.com/oauth/token"
headers = {
 "Content-Type": "application/x-www-form-urlencoded",
 "Accept": "application/json"
}

# Client ID and Secret from env vars
client_id = os.getenv("GC_CLIENT_ID")
client_secret = os.getenv("GC_CLIENT_SECRET")

# Basic Auth header for client credentials
# Constructing base64 string manually to debug
auth_string = f"{client_id}:{client_secret}"
auth_header = base64.b64encode(auth_string.encode()).decode()

payload = {
 "grant_type": "client_credentials",
 "scope": "admin:analytics:read"
}

response = requests.post(
 url,
 data=payload,
 headers=headers,
 auth=(client_id, client_secret) # Using requests built-in auth
)

print(response.status_code)
print(response.text)

The response is consistently 401 Unauthorized. The JSON body says:

{
 "error": "invalid_grant",
 "error_description": "Invalid client credentials"
}

Things I’ve verified:

  • Client ID and Secret are correct (copied directly from the console).
  • The scope admin:analytics:read is valid and assigned to the app.
  • The Content-Type is application/x-www-form-urlencoded as required by the spec.
  • I’ve tried switching from requests’ built-in auth parameter to manually setting the Authorization: Basic ... header, but the result is identical.
  • The URL is definitely api.mypurecloud.com, not a regional variant that might be misconfigured in my local DNS.

It feels like a trivial configuration issue, but invalid_grant usually points to wrong credentials or a mismatched grant type. I’ve reset the client secret twice now. Is there a specific header requirement I’m missing for the Python requests implementation? Or does the Genesys Cloud OAuth endpoint behave differently than standard RFC 6749 implementations?