Forcing SAML SSO for our agents, but the OTel collector is failing to get an access token using client_credentials. The docs say programmatic access should bypass SAML, but I’m hitting a 401. Here’s the request:
POST /oauth/token
grant_type=client_credentials
client_id=abc-123
client_secret=secret-456
Response is just unauthorized_client. Am I missing a config flag in the OAuth client settings to allow this alongside SAML?
Are you sure that client isn’t still tied to a user identity somewhere? SAML enforcement usually hits interactive logins, but if the OAuth client has specific scope restrictions or isn’t explicitly marked for machine-to-machine use, it’ll get rejected hard. Check the client settings in the admin portal. You need to ensure the client_credentials grant type is actually enabled for that specific client ID.
Here’s what usually fixes it. First, verify the scopes. client_credentials often needs admin:api or specific resource scopes depending on what you’re hitting. Then, look at the response headers. If it’s a 401 with unauthorized_client, it’s almost always a permission mismatch on the client object itself. Try this curl to test the token endpoint directly with explicit scopes:
curl -X POST "https://api.mypurecloud.com/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=abc-123&client_secret=secret-456&scope=api:read"
If that works, your OTel config is probably dropping the scope or sending the credentials as Basic Auth instead of form data.