Trying to restrict a service account to specific divisions for a multi-tenant BPO setup. Created the OAuth client in the UI with division IDs set, but the SDK throws a 403 when initializing. The token request succeeds, but subsequent calls fail. Here’s the init config:
const client = PlatformClient.init({
clientId: 'my-client-id',
clientSecret: 'my-secret',
basePath: 'https://api.mypurecloud.com'
});
Is there a specific scope required for division access?
Checked the SDK docs. The init config you posted is missing the grant type. For client credentials, you need to explicitly pass grantType: 'client_credentials'. Without it, the SDK might default to authorization code flow or fail silently on token retrieval, leading to that 403.
Also, division restrictions apply to the scopes and the resource endpoints, not just the client creation. Make sure the OAuth client has the admin:division scope if you’re querying division metadata, or specific data scopes like reading:conversation if accessing call data.
Here is the corrected initialization:
const client = PlatformClient.init({
clientId: 'my-client-id',
clientSecret: 'my-secret',
basePath: 'https://api.mypurecloud.com',
grantType: 'client_credentials', // Required for service accounts
scopes: ['admin:division', 'reading:conversation'] // Add required scopes here
});
If it still throws 403, check the API response body. It usually lists the missing permissions. Sometimes the UI lags in propagating division assignments to the auth layer.