POST /api/v2/conversations/webmessaging 403 when initiating proactive session for existing contact

I’ve spent hours trying to figure out why the API rejects my attempt to resume a web messaging session for a user who already has a recent conversation history.

I am using the standard client_credentials flow to get an access token, then sending this payload to POST /api/v2/conversations/webmessaging. The endpoint returns a 403 Forbidden with the message “User is not authorized to perform this action.” The contactId is verified as valid in the CRM, and the integrationId matches the widget configuration.

{
 "contactId": "8a3f2c1d-4b5e-6a7c-8d9e-0f1a2b3c4d5e",
 "integrationId": "web-msg-integration-01",
 "type": "webmessaging",
 "routing": {
 "type": "skill",
 "skillIds": ["support-general"]
 }
}

Is there a specific permission scope missing from the OAuth client, or is the Guest API restricted for proactive initiations on existing contacts?

The quickest way to solve this is to stop using client_credentials for user-initiated actions. That flow lacks the userId context required for web messaging.

1. Switch to the authorization code flow to obtain a user-scoped token.
2. Ensure the token includes the webmessaging:session:write scope.

# Example using the Python SDK with a valid user token
client.set_access_token(user_access_token)
body = WebMessagingConversationCreateRequest(contact_id="valid-id", integration_id="widget-id")
client.conversations_api.post_conversations_webmessaging(body=body)