QM evaluation REST calls return 403 inside Client App SDK despite valid PKCE token

The custom desktop runs on React 18 and uses Client App SDK v3.15.0. It loads fine until the app tries to pull Quality Management evaluation data. The OAuth implicit grant with PKCE handles login without issues. Tokens don’t refresh correctly for the QM scope though.

Switching to quality:evaluation:read breaks the flow. The REST client throws a 403 Forbidden immediately after the token refresh. The embeddable container logs show the scope is actually attached to the JWT. Checked the payload with a decoder. The claim is right there.

Tried isolating the request outside the SDK. Plain fetch works. Inside the SDK wrapper, it dies. The postMessage API catches a weird timeout before the actual error returns. Looks like the SDK interceptor is stripping the Authorization header on the second hop. You’ll see the header vanish in the network tab.

Steps already attempted:

  1. Verified quality:evaluation:read exists in the app config manifest.
  2. Forced a full token refresh via genesyscloud.auth.refreshToken().
  3. Logged the raw request headers right before the SDK sends it.
  4. Downgraded SDK to v3.12.1 to rule out recent breaking changes.

Doing jack all to fix it. The custom desktop sits on a US West edge node. Server time is US/Pacific. Maybe the region routing is messing with the QM endpoint. Or the PKCE challenge is expiring too fast for the evaluation service.

{
 "error": "forbidden",
 "error_description": "Access token does not contain required scope: quality:evaluation:read",
 "message": "Authentication failed for resource /api/v2/quality/evaluations",
 "timestamp": "2024-05-14T18:22:09Z"
}

The token clearly has the scope. Decoded it twice. SDK version 3.15.0. React strict mode on. The console just keeps spinning.