Scoping OAuth client to specific divisions via API

TokenSophia · March 4, 2026, 7:18am

Trying to restrict a client credentials grant to specific divisions for a multi-tenant BPO setup. Docs state: “The divisions property on the OAuth client resource allows you to limit access to specific organizational units.”

PUT /api/v2/oauth/clients/{id}
{
“divisions”: [“550e8400-e29b-41d4-a716-446655440000”]
}

Getting 200 OK, but the resulting token still accesses all divisions. Am I missing a flag or is the API ignoring the payload? Checking the client details shows the division ID is saved, but scope validation fails downstream.

QueueBreaker · March 4, 2026, 6:18pm

The divisions array on the client is for isolation, not filtering. You still need to set the division_id header on every request. The token grants access, but the API endpoint decides what to return. Try adding this header to your curl:

-H "division-id: 550e8400-e29b-41d4-a716-446655440000"