Looking for advice on how to keep OAuth 2.0 client credentials working after we forced SAML SSO on our Genesys Cloud org. We’re building a Teams bot that needs to sync presence in the background, so user interaction for login isn’t an option.
I set up a new OAuth client in the developer console, generated a refresh token, and everything worked fine during testing. Now that SAML is mandatory for all users, my Python script gets a 401 Unauthorized when trying to exchange the refresh token.
response = requests.post(f"https://{org_host}/oauth/token",
auth=(client_id, client_secret),
data={"grant_type": "refresh_token", "refresh_token": my_refresh_token})
print(response.status_code) # 401
The error response is generic: {"error": "invalid_grant", "error_description": "Refresh token is invalid or has expired."}.
I read somewhere that SAML changes might invalidate existing tokens, but I regenerated the refresh token after the SAML change. Is there a specific scope or setting I need to enable on the OAuth client to bypass the SAML prompt for machine-to-machine auth? Or do I need to use a different grant type entirely for this use case?