Enabled SAML SSO for our agents. Now POST /oauth/token with client_credentials scope returns 401 Unauthorized. Using the same client_id and secret that worked before. Is there a config flag to keep API access working while enforcing SAML for UI login?
You checking if that client ID is actually linked to the SAML entity? If you enabled SAML for the whole org without whitelisting the client, it gets locked out by default.
You don’t need a magic config flag. Just go to Admin > Identity > Applications. Find your client ID. Check the “Allow SSO” box or ensure it’s not restricted to SAML-only authentication methods if that option exists in your version. Usually, client_credentials should bypass user-based SAML entirely unless you’ve explicitly tied the app to a SAML entity that requires user assertion.
Here’s how to verify the token endpoint is still open for machine-to-machine auth using curl. If this fails, the app is definitely blocked by SAML settings.
curl -X POST "https://{org_id}.mygenesys.com/api/v2/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-u "{client_id}:{client_secret}" \
-d "grant_type=client_credentials&scope=analytics:report:read"
If you get 401 back, check the application settings in CXone. Make sure “Require SSO” isn’t checked for that specific client application. client_credentials shouldn’t care about SAML for the user, but the app config might be forcing it.