Hey folks.
We have a custom C# agent desktop app that uses the Embeddable Client SDK for screen pops. It authenticates using the standard OAuth Client Credentials flow to get an access token. Everything worked fine until IT enforced SAML SSO for all users in our org.
Now when I try to call /api/v2/oauth/token with our client_id and client_secret, I get a 401 Unauthorized. The error payload says invalid_grant. I assumed the machine-to-machine auth would be independent of user login methods, but it seems the SAML config might be locking down the OAuth endpoints or changing the token validation logic.
Here is the setup:
- Org: Genesys Cloud US1
- Auth Type: Client Credentials (no user context)
- SAML: Enabled for all users
- App: Custom .NET Core console app using HttpClient for token requests
The code looks standard:
var content = new FormUrlEncodedContent(new
{
new KeyValuePair<string, string>(“grant_type”, “client_credentials”),
new KeyValuePair<string, string>(“client_id”, clientId),
new KeyValuePair<string, string>(“client_secret”, secret)
});
var response = await client.PostAsync(“/api/v2/oauth/token”, content);
Is there a specific scope I’m missing or a config flag in the SAML app that blocks programmatic access? The docs are vague on this intersection. I’ve checked the client permissions in the admin portal and they look correct.