We are instrumenting call flow performance across multiple BPO tenants in Genesys Cloud. The goal is to scope a single OAuth client to specific divisions so we can isolate traces in New Relic APM without crossing tenant boundaries.
The documentation mentions the scope parameter, but it’s unclear how to restrict access at the division level during the token exchange. We’ve tried adding division_id to the client credentials flow, but the resulting access token still grants broad access.
Here’s the current request payload:
{
"grant_type": "client_credentials",
"scope": "read:conversation:participant:all write:conversation:participant:all",
"division_id": "abc123-division-id"
}
The response returns a 200 OK, but the token metadata doesn’t reflect the division constraint. When we use this token to fetch queues, we see resources from other divisions.
Is there a specific header or query parameter we’re missing? Or does the division scoping only apply to resource-level APIs after authentication?
We’re using the standard Genesys Cloud API gateway. Any insights on how to tighten this down for our multi-tenant setup would be appreciated.