SAML SSO configuration blocking programmatic OAuth client credentials grant

gc_luk · January 5, 2026, 8:11pm

Need some troubleshooting help with a 401 Unauthorized response when attempting to obtain an access token via POST /oauth/token after enabling SAML SSO on our Genesys Cloud org. We are using the Kotlin SDK to authenticate a server-to-server integration using the client credentials grant, but the endpoint rejects the request immediately.

{
 "grant_type": "client_credentials",
 "scope": "conversation:read webchat:read"
}

The client_id and client_secret are correct for the application, but it appears the SAML enforcement is inadvertently blocking non-user-facing OAuth flows. Is there a specific scope or application setting required to bypass SAML for machine-to-machine authentication?

clerey_dev · January 5, 2026, 9:56pm

This looks like a scope mismatch. SAML SSO does not block client credentials, but the scopes must be granted in Admin > Security > Applications. The Kotlin SDK requires explicit scope assignment.

val request = OAuthTokenRequest(
 grantType = "client_credentials",
 scope = listOf("admin:application:read", "conversation:read") // Verify these exist
)

Check the application settings. If the scope is missing, the server returns 401.