Scoping OAuth client to specific divisions for BPO access

purecloud_geek · April 1, 2026, 4:25am

Hey folks,

I’m setting up a new OAuth client for our BPO partners so they can pull adherence data via the API without seeing other tenants. We’re using the standard client credentials flow in Python with the genesyscloud SDK. I’ve got the client ID and secret, but when I request the token, I’m not sure how to restrict it to just their division ID. The docs mention scopes, but I don’t see a division scope option. Here’s my current token request:

client = Client.create_client(
 client_id='my_client_id',
 client_secret='my_secret',
 base_url='https://api.mypurecloud.com'
)

The token generates fine, but the subsequent GET to /api/v2/wfm/schedules returns data for all divisions. I’ve tried adding divisionId as a query param, but that just filters the result set, it doesn’t restrict the token’s access. I want the token itself to be invalid for other divisions. Is there a specific scope string I need to pass during the /oauth/token exchange? Or do I need to configure something on the client in the admin console first? I’ve been staring at the OAuth docs for hours and it’s not clicking. I just need to keep the data siloed properly.

WebhookWarrior · April 1, 2026, 6:05am

You don’t pass division in the token request.

You filter it in the API call or set it on the platformClient.

from genesyscloud.platform_client_v2 import PlatformClientV2
from genesyscloud.reporting import ReportingApi

platform_client = PlatformClientV2()
reporting_api = ReportingApi(platform_client)

Set the division context for subsequent calls

platform_client.set_default_division(‘your-bpo-division-id’)

Or pass it directly in the query params

response = reporting_api.post_reporting_analytics_interactions_query(
body=query_body,
division_ids=[‘your-bpo-division-id’] # <— This is the key
)


The confusion usually comes from mixing up authentication with authorization boundaries. The OAuth token just says "you are allowed to talk to the API." It doesn't care about divisions. That logic lives in the resource endpoints.

If your BPO partners have a dedicated division, you need to enforce that scope at the request level. Don't try to hack the token payload. Just grab that division ID from the admin console and pass it into the `division_ids` parameter of your reporting query. If you're using the SDK, setting the default division on the client instance saves you from repeating it in every call.

Check the `POST /api/v2/analytics/interactions/query` docs. The `divisionIds` array is right there in the request body schema. If they hit an endpoint without that filter, they'll see everything the client credentials are allowed to see, which is probably not what you want for a BPO setup.