Trying to understand how to restrict an OAuth client to specific divisions for multi-tenant BPO access.
I am configuring a custom integration for a BPO partner. The requirement is that their service account should only access data within their assigned division. I created a client via /api/v2/oauth/clients and set the division_id. However, when I authenticate using client_credentials, the resulting token grants access to all divisions. I tried passing division_id in the token request body, but it gets ignored. Is there a specific scope or configuration step I am missing to enforce division-level isolation for the OAuth token?