Just noticed that our Premium App is receiving 403 Forbidden errors when attempting to fetch screen recording metadata via the /api/v2/analytics/screenrecordings endpoint. The multi-org OAuth token has the required recording:view scope, and the request succeeds for the primary organization but fails for all linked partner orgs. We are using the latest Python SDK and have verified the token validity. Is there a specific permission gap or configuration requirement for accessing screen recordings across multi-org boundaries that isn’t documented?
The main issue here is likely a mismatch in the OAuth client’s organization scope mapping rather than a simple permission flag. When using multi-org tokens, the Recording API strictly enforces that the requesting principal has explicit ‘recording:view’ permissions within the target organization’s security profile, not just the primary one. The Python SDK handles token rotation well, but it does not automatically map cross-tenant privileges. You need to verify that the Service Account used for the OAuth client has been explicitly added to the ‘Recording Analyst’ or equivalent custom role in each linked partner organization.
Check the GET /api/v2/security/roles endpoint for the target orgs to ensure the role ID associated with your service account includes the recording:view permission. If the role exists but the scope is missing, you will get a 403 even with a valid token.
Note: Ensure the Service Account is not locked to the primary org only in the Developer Console settings.
Yep, this is a known issue when chaining multi-org authentication with specific analytics endpoints. The 403 error isn’t always about the token itself, but rather how the ServiceNow integration layer interprets the cross-tenant context when the initial webhook payload triggers the screen pop logic.
In my recent implementations with Digital Channels, I found that the standard recording:view scope on the primary org’s service account often fails to propagate correctly to linked partner organizations if the OAuth client isn’t explicitly configured with the impersonate capability for those specific sub-tenants. The API gateway checks the target organization’s security profile independently.
To resolve this, you need to ensure the Service Account used for the Data Action has the admin:screen_recordings role assigned in each partner organization, not just the primary. Additionally, verify that the webhook payload includes the correct organizationId in the header. If you are using a Data Action to push this data to ServiceNow, ensure the REST API call includes the specific organization ID in the query parameters.
Here is a sample of the correct header structure for the request:
{
"Authorization": "Bearer <multi_org_token>",
"X-GCC-Organization-Id": "<partner_org_id>",
"Content-Type": "application/json"
}
Also, check if the partner orgs have the “Analytics” license feature enabled. Sometimes the scope exists, but the feature flag is off, causing a silent 403. If the issue persists, try regenerating the client secret and ensuring the OAuth grant type is set to client_credentials with explicit resource server permissions for the analytics API.
- Verify
recording:viewscope in each partner org - Check
admin:screen_recordingsrole assignment - Confirm
X-GCC-Organization-Idheader usage - Validate Analytics license features in partner orgs