Got this 401 Unauthorized error when trying to refresh tokens via the /oauth/token endpoint after switching our org to SAML SSO.
{
"code": 401,
"message": "Invalid client credentials",
"status": "Unauthorized"
}
We’ve been using the client_credentials grant type for our internal reporting scripts for years. It’s worked perfectly until we enabled SAML SSO last week. Now the same client ID and secret that used to pull data are getting rejected. The SAML setup is working fine for users logging into the web UI, but the programmatic access is busted.
I checked the Genesys Cloud docs and it seems like SAML doesn’t automatically disable OAuth, but there’s a setting in the SAML configuration called “Enable OAuth for API access” or something similar that might be off. I’m looking at the SamlConfig object returned from GET /api/v2/users/saml/config and I don’t see an obvious flag to toggle OAuth back on.
Here’s the cURL command we’re running:
curl -X POST https://api.mypurecloud.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=OUR_CLIENT_ID&client_secret=OUR_CLIENT_SECRET"
Is there a specific API call or setting we need to adjust to allow OAuth to work alongside SAML? We don’t want to force every script to use the authorization_code flow because that requires user interaction and breaks our automated jobs. We just want the old client_credentials flow to keep working.
I’ve tried regenerating the client secret, but that didn’t help. The error is still the same. Any ideas on what we’re missing here?