We’ve hit a wall with our custom WFM dashboard. It’s a React app that uses the implicit grant flow to get agents logged in. The login works fine. We get the token in the URL fragment. But when the app tries to hit the API, it fails. The token looks valid. I can paste it into jwt.io and it decodes. The signature checks out. The audience is correct. But our backend validation service is rejecting it. It says the issuer is wrong.
Here is the payload we are seeing:
{
"iss": "https://login.mypurecloud.com/oauth/token",
"sub": "12345",
"aud": "https://api.mypurecloud.com",
"exp": 1715623200
}
Our validation code checks if iss matches https://login-us.genesis.com/oauth/token. It fails. We are in the US Pacific region. I thought the issuer was always login.mypurecloud.com. Is there a region-specific issuer I’m missing? Or is the implicit grant returning a different issuer than the client credentials flow? We don’t want to hardcode a list of issuers if we can help it. It feels fragile. The docs are vague on this. We just need to know what the iss claim should be for the implicit grant in our region so we can stop blocking our agents. The error is a 401 from our own middleware, not Genesys.