We’ve just finished migrating our org to SAML SSO. The login flow works perfectly for agents and supervisors in the UI. Now our backend Python service is failing to get an access token. It was working fine before the SAML rollout.
I’m using the standard client credentials grant against the /oauth/token endpoint. The docs state: “The client credentials grant type is ideal for machine-to-machine communication.” It doesn’t mention SAML breaking it. Here is the request body:
client_id=abc123&client_secret=xyz789&grant_type=client_credentials&scope=analytics:read
Getting a 401 Unauthorized with "error": "invalid_client". I double checked the client ID and secret in the admin console. They look correct. Is there a setting in the SAML configuration that disables API access for clients?
I tried adding &resource=https://api.mypurecloud.com but that didn’t help. The error is still the same. We need the backend service to continue pulling analytics data via API. SSO should only affect human logins. Right?
The client was created in the old UI before SAML was enabled. I tried recreating the client in the new settings page but the options are limited. No way to set specific scopes during creation. The docs say scopes are assigned in the admin panel. I checked the client settings. Scopes look assigned.
What am I missing? The error says invalid_client which usually means bad credentials. But they work in Postman if I disable SAML for my user session. Wait, no, SAML doesn’t affect the token endpoint auth. Or does it?
This is driving me nuts. We have a deployment window in two hours. Can’t roll back the SAML change without causing an outage for the agents. Any code snippet showing a working client creds request post-SAML would be great. Or a pointer to the specific admin setting. I’ve read the OAuth v2 section three times. Nothing about SAML interference.