- GC Platform API v2
- AppFoundry Partner Integration
- Multi-tenant OAuth setup
Need some help troubleshooting a 403 Forbidden error when attempting to create a new script via the Scripting API. The initial access token is valid, but the subsequent call to exchange it for a multi-org session token returns a 403 with the message ‘Insufficient permissions for requested action.’ The integration user has the ‘scripting:admin’ role, and this flow works perfectly in single-tenant tests. Is there a specific scope requirement for the multi-org token exchange endpoint that differs from standard scripting operations?
Have you tried verifying the specific organization-level permissions for the integration user? In Zendesk, we were used to a more monolithic permission structure where a global admin role often cascaded down, but Genesys Cloud’s multi-tenant architecture is stricter. The initial OAuth grant provides access to the primary organization, but the subsequent token exchange for a multi-org session inherits the access scope from that initial grant. If the script creation API call targets a secondary organization, the user needs explicit ‘scripting:admin’ rights within that specific organization, not just the primary one.
This is a common migration gotcha. When moving from Zendesk, teams often assume that because the user has high-level privileges in the main tenant, they automatically have them in sub-tenants or partner organizations. Genesys Cloud requires you to map these roles individually per org.
To fix this, navigate to the Admin console, select the target organization, and ensure the integration user has the correct role assigned there. You can also verify this via the API by checking the user’s roles in the specific org context:
| Requirement |
Configuration Detail |
| Primary Org Role |
scripting:admin |
| Secondary Org Role |
scripting:admin (Must be explicitly assigned) |
| OAuth Scope |
Must include scripting:write |
If the roles are correct, check if the multi-org token request includes the org_id parameter correctly. Sometimes the 403 is actually a 404 in disguise because the system can’t find the org context to validate the permission. It’s a small detail, but it makes a huge difference in a multi-tenant setup compared to the simpler Zendesk workflow. Double-check those org-specific role assignments first!