We’re building a Kotlin backend service (using genesys-cloud-kotlin v2.18.0) that needs to manage users across multiple client divisions in our Genesys Cloud org. The setup is a standard multi-tenant BPO model where each client has their own division ID.
The problem is scoping the OAuth client. When I create an OAuth client via the UI, I can select specific divisions, but the resulting access token seems to grant access to everything in the org, or at least the API calls don’t respect the division boundaries I expected.
Here’s the flow:
- Get token using
client_credentialsgrant. - Call
GET /api/v2/userswithdivisionId=abc-123. - Get back users from other divisions too.
I’ve checked the client settings. The allowedScopes include user:view, but I don’t see a way to enforce division-level isolation via the token itself. Am I missing a parameter in the token request, or is this purely an API-side filter I need to handle in Kotlin?
The docs mention division as a query param, but if the token isn’t scoped correctly, that feels like a security risk. Any ideas on how to lock the token to a specific division?