Need some help troubleshooting the division scope configuration for a new OAuth client intended for a multi-tenant BPO environment. The goal is to restrict API access to specific divisions rather than granting global read/write permissions. I am using the Genesys Cloud Platform SDK for JavaScript within an Angular service to create the client via the /api/v2/oauth/clients endpoint.
Despite passing the divisionId in the request body, the resulting client appears to have no divisional restrictions, or the subsequent token requests fail with a 403 Forbidden when trying to access resources in that division. I suspect the scopes array might need explicit divisional tokens, but the documentation is ambiguous regarding multi-tenant isolation.
Here is the JSON payload I am sending:
{
"name": "BPO Tenant Client",
"description": "Restricted access for Tenant A",
"grantTypes": ["client_credentials"],
"scopes": [
"analytics:callcenter:read",
"user:read"
],
"divisionId": "d-12345-abcde"
}
The API returns a 201 Created status, but the client lacks the expected isolation. Is there a specific scope parameter or a different API endpoint required to bind an OAuth client to a division for proper multi-tenant access control?