POST /api/v2/oauth/clients
Content-Type: application/json
{
"name": "BPO-Read-Only",
"redirectUris": ["https://bpo-internal/callback"],
"scope": ["read:conversation", "read:queue"],
"division": {
"id": "bpo-division-uuid-xyz"
}
}
Hitting this endpoint keeps returning a 400 Bad Request. Response body claims division isn’t a valid property. Docs mention clients live at the root level but the client shouldn’t see the whole org. BPO setup requires the token restricted to one division.
Adding an allowedDivisions array in the payload results in the same 400.
Creating the client without a division and assigning it to a user in the target division leaves the token pulling data from the root division on every call.
Python SDK method oauth_client_create throws a validation error if the division object passes through.
Is there a specific flag to lock the client scope? Or do I have to use the X-Genesys-Application-Id header on every single request and hope it works?
Just need the JSON structure that actually sticks. API keeps rejecting it.