Enabled SAML SSO for user auth but need programmatic access for our custom desktop app. Tried the standard client_credentials grant against /oauth/token with a valid API key.
Returns 400 Bad Request: “Invalid grant type”.
Does enabling SAML disable machine-to-machine auth entirely?
SAML doesn’t touch the client credentials flow. If you’re getting a 400 “Invalid grant type”, the issue is almost certainly in the request body structure or the OAuth scope configuration, not the SAML setup itself.
Check your POST payload. The grant_type parameter needs to be exactly client_credentials. Also, make sure you’re passing the client_id and client_secret in the body, not as headers. Genesys expects application/x-www-form-urlencoded.
Here’s the raw curl command that works for me:
curl -X POST "https://api.mypurecloud.com/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=conversation:read conversation:write"
If that still fails, check the API key settings in Admin. Under OAuth Applications, find your app. Ensure Client Credentials is checked under Grant Types. Sometimes enabling SAML mpts admins to review security settings, and it’s easy to accidentally uncheck that box.
Also, double-check the scopes. If you request a scope that requires user interaction (like uc:presence:write which might imply a user context), the machine-to-machine flow will reject it. Stick to system-level scopes for now.