We’re setting up a multi-tenant BPO integration where each client gets their own Genesys Cloud organization. The goal is to have a single backend service that can switch contexts and manage queues for different tenants using a single OAuth client ID, but scoped to specific divisions within each org. I’m trying to use the division_id parameter in the token request or perhaps in the API calls themselves to restrict access.
Currently, I’m using the standard client credentials flow. When I make a request to /api/v2//queues without a specific division header, it returns queues from the default division. If I try to pass x-gcc-request-id or similar headers, it doesn’t seem to filter by division. I found some docs mentioning grant_type=client_credentials with a scope parameter, but I can’t find a way to pass a division ID in the token request itself.
Here’s the curl command I’m using to get the token:
curl -X POST 'https://login.mypurecloud.com/oauth/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=my_client_id&client_secret=my_secret'
And then for the API call:
curl -X GET 'https://api.mypurecloud.com/api/v2//queues' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json'
I need to restrict this token to only access division div_123 and div_456 for a specific tenant. Is there a way to scope the token to divisions during issuance, or do I need to handle this filtering entirely in my code after fetching all queues? The current approach feels insecure and inefficient. Any pointers on the correct way to handle this with the Genesys Cloud API?