We just flipped the switch on SAML SSO for our org. It’s working great for agents logging into the web client, but now our background service is failing to get an access token. We are using the C# Genesys Cloud Platform SDK to pull analytics data every hour.
Before SAML, we used the standard client_credentials grant with our app ID and secret. Now, the login endpoint returns a 401 Unauthorized. The error message says “Invalid grant type”.
I’m confused because the docs say programmatic access should still work with client credentials, even if users use SAML. I thought SAML only affected the user login flow, not the machine-to-machine auth.
Here is the code snippet that used to work:
var client = new GenesysCloudPlatform.Client.Configuration();
client.ClientId = "my-app-id";
client.ClientSecret = "my-secret";
var authClient = new GenesysCloudPlatform.Client.Auth.OAuth2Client(client);
var token = await authClient.GetClientCredentialsTokenAsync("https://api.mypurecloud.com/oauth/token");
The exception details show:
Status Code: 401
Body: {"error":"invalid_grant","error_description":"Client authentication failed"}
Did the SAML setup change how the OAuth token endpoint validates the app credentials? Or do I need to use a different grant type now? I don’t want to use the authorization_code flow for a background service because there is no user interaction.
Any ideas on what I’m missing here? I’ve checked the app permissions in the admin portal and they look fine.