What’s the correct way to scope an OAuth client to specific divisions in a multi-tenant BPO environment?
We’re running a hybrid platform where different clients live in separate divisions. I need a service account that can only access data within those specific divisions, not the whole org.
I created the OAuth client via the /api/v2/oauth/clients endpoint and set the grant_type to client_credentials. I tried adding the division IDs to the scopes array, but that doesn’t seem to work. The docs mention division_ids in the client config, but I’m not sure if that restricts the token’s scope or just the client’s visibility.
Here’s the payload I sent:
{
"client_name": "bpo-service-account",
"grant_type": "client_credentials",
"scope": ["organization:read", "user:read"],
"division_ids": ["div-id-123", "div-id-456"]
}
When I get a token and call /api/v2/users, I still see users from other divisions. It’s like the division_ids field is ignored for the actual API calls.
I’ve checked the user’s division assignments, and they’re correct. Is there a specific scope parameter I’m missing? Or do I need to use a different grant type?
It’s 3 AM here and I’m starting to pull my hair out. The documentation is vague on this exact use case.