Selecting the OAuth Grant Type for Server-Side Genesys Cloud Reporting
What You Will Build
- This tutorial builds a Python script that retrieves conversation analytics data from Genesys Cloud, demonstrating the implementation differences between the Client Credentials and Authorization Code grant types.
- The code utilizes the Genesys Cloud Python SDK (
genesyscloud) and the underlyingrequestslibrary to handle OAuth token acquisition. - The primary language is Python 3.10+, with JSON payloads illustrating the API responses.
Prerequisites
- Genesys Cloud Organization: An active Genesys Cloud account with API access enabled.
- OAuth Client: A registered OAuth application in the Genesys Cloud Admin Portal under Organization > API Access.
- For Client Credentials: The client must have the Service Account checkbox enabled or be configured as a standard client with appropriate scopes.
- For Authorization Code: The client must have a valid Redirect URI configured (e.g.,
http://localhost:8080/callback).
- Scopes: The client must have the
analytics:conversation:viewscope granted. - SDK: Install the Genesys Cloud Python SDK:
pip install genesyscloud. - Runtime: Python 3.10 or higher.
Authentication Setup
The choice between Client Credentials and Authorization Code depends on the context of execution. Client Credentials is the standard for server-to-server interactions where no specific user is acting on behalf of the system. Authorization Code is required when the application acts on behalf of a specific user, such as when a user triggers a report from a web interface.
For this tutorial, we will implement both flows to compare their complexity and data access patterns.
Client Credentials Flow (Service Account)
The Client Credentials flow exchanges the client ID and secret for an access token. This token represents the application itself, not a user. It is stateless and ideal for scheduled reporting jobs.
- Endpoint:
POST https://api.mypurecloud.com/oauth/token - Body:
grant_type=client_credentials&scope=analytics:conversation:view
Authorization Code Flow (User Delegation)
The Authorization Code flow requires a redirect to the Genesys Cloud login page, user consent, and a callback to exchange the code for a token. This token represents the user and inherits the user’s permissions.
- Endpoint:
POST https://api.mypurecloud.com/oauth/token - Body:
grant_type=authorization_code&code={CODE}&redirect_uri={URI}
Implementation
Step 1: Configure the OAuth Client and SDK Initialization
Before making API calls, we must initialize the Genesys Cloud SDK. The SDK handles the token caching and refresh logic internally, but we must provide the correct authentication method.
Python SDK Initialization:
from genesyscloud.rest import Configuration
from genesyscloud.analytics.api import AnalyticsConversationsApi
from genesyscloud.analytics.model import QueryConversationsDetailsRequest
import os
def configure_sdk_for_client_credentials(client_id: str, client_secret: str, env: str = "mypurecloud.com"):
"""
Configures the SDK to use Client Credentials grant type.
"""
config = Configuration(
host=f"https://api.{env}",
client_id=client_id,
client_secret=client_secret,
grant_type="client_credentials",
scopes=["analytics:conversation:view"]
)
return config
def configure_sdk_for_auth_code(client_id: str, client_secret: str, redirect_uri: str, env: str = "mypurecloud.com"):
"""
Configures the SDK to use Authorization Code grant type.
Note: In a real application, you must first obtain the 'code' via a web flow.
Here we simulate the post-redirect state.
"""
config = Configuration(
host=f"https://api.{env}",
client_id=client_id,
client_secret=client_secret,
grant_type="authorization_code",
redirect_uri=redirect_uri,
scopes=["analytics:conversation:view"]
)
return config
Key Distinction: The grant_type parameter in the Configuration object dictates how the SDK requests tokens. For Client Credentials, the SDK automatically handles the POST to /oauth/token. For Authorization Code, the SDK expects a code parameter to be provided in the request body or via a custom token provider.
Step 2: Implementing the Client Credentials Flow
This section demonstrates a complete, runnable script using Client Credentials. This is the recommended approach for background reporting services.
Working Code:
import os
import json
from datetime import datetime, timedelta
from genesyscloud.rest import Configuration
from genesyscloud.analytics.api import AnalyticsConversationsApi
from genesyscloud.analytics.model import QueryConversationsDetailsRequest
from genesyscloud.rest import ApiException
def run_client_credentials_report(client_id: str, client_secret: str) -> list:
"""
Retrieves conversation details using Client Credentials grant.
"""
# 1. Configure the SDK
config = Configuration(
host="https://api.mypurecloud.com",
client_id=client_id,
client_secret=client_secret,
grant_type="client_credentials",
scopes=["analytics:conversation:view"]
)
# 2. Create the API instance
api_instance = AnalyticsConversationsApi(config)
# 3. Define the query parameters
# Query for conversations in the last 24 hours
end_time = datetime.utcnow()
start_time = end_time - timedelta(hours=24)
query_body = QueryConversationsDetailsRequest(
date_from=start_time.isoformat() + "Z",
date_to=end_time.isoformat() + "Z",
size=100, # Max page size
query_type="summary",
group_by=["wrapupcode"]
)
try:
# 4. Execute the API call
response = api_instance.post_analytics_conversations_details_query(body=query_body)
# 5. Process the response
conversations = response.entities
print(f"Retrieved {len(conversations)} conversation summaries.")
return conversations
except ApiException as e:
print(f"Exception when calling AnalyticsConversationsApi->post_analytics_conversations_details_query: {e}")
if e.status == 401:
print("Error: Invalid credentials or expired token.")
elif e.status == 403:
print("Error: Insufficient scopes or permissions.")
elif e.status == 429:
print("Error: Rate limit exceeded. Implement retry logic.")
raise e
if __name__ == "__main__":
# Load credentials from environment variables
CLIENT_ID = os.getenv("GENESYS_CLIENT_ID")
CLIENT_SECRET = os.getenv("GENESYS_CLIENT_SECRET")
if CLIENT_ID and CLIENT_SECRET:
run_client_credentials_report(CLIENT_ID, CLIENT_SECRET)
else:
print("Please set GENESYS_CLIENT_ID and GENESYS_CLIENT_SECRET environment variables.")
Expected Response:
The post_analytics_conversations_details_query endpoint returns a JSON object containing an entities array. Each entity represents a conversation summary.
{
"entities": [
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"type": "voice",
"startTime": "2023-10-27T10:00:00.000Z",
"endTime": "2023-10-27T10:05:00.000Z",
"wrapupcode": "Sales Qualified",
"participants": [
{
"id": "agent-id-123",
"name": "John Doe",
"type": "agent"
}
]
}
],
"pageSize": 1,
"pageNumber": 1,
"total": 150
}
Error Handling:
- 401 Unauthorized: The client ID or secret is incorrect, or the token has expired. The SDK automatically retries token refresh for Client Credentials, but if the credentials are invalid, it raises a 401.
- 403 Forbidden: The OAuth client does not have the
analytics:conversation:viewscope, or the service account lacks organizational permissions to view analytics. - 429 Too Many Requests: Genesys Cloud enforces rate limits. If you exceed the limit, the API returns a 429. The SDK does not automatically retry 429s. You must implement exponential backoff.
Step 3: Implementing the Authorization Code Flow
The Authorization Code flow is more complex because it requires a web server to handle the redirect. This section shows how to configure the SDK for this flow and how to handle the token exchange.
Working Code:
import os
import http.server
import urllib.parse
from genesyscloud.rest import Configuration
from genesyscloud.analytics.api import AnalyticsConversationsApi
from genesyscloud.analytics.model import QueryConversationsDetailsRequest
from genesyscloud.rest import ApiException
class OAuthCallbackHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
# Parse the URL to extract the authorization code
parsed_url = urllib.parse.urlparse(self.path)
query_params = urllib.parse.parse_qs(parsed_url.query)
if 'code' in query_params:
auth_code = query_params['code'][0]
state = query_params.get('state', [''])[0]
print(f"Received authorization code: {auth_code}")
# Exchange the code for an access token
try:
self.exchange_code_for_token(auth_code)
except Exception as e:
self.send_error(500, f"Token exchange failed: {e}")
else:
self.send_error(400, "No authorization code provided")
# Send a simple success response
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(b'<html><body><h1>Authentication Successful. You can close this window.</h1></body></html>')
def exchange_code_for_token(self, code: str):
"""
Exchanges the authorization code for an access token and runs the report.
"""
CLIENT_ID = os.getenv("GENESYS_CLIENT_ID")
CLIENT_SECRET = os.getenv("GENESYS_CLIENT_SECRET")
REDIRECT_URI = "http://localhost:8080/callback"
# Configure SDK for Authorization Code
config = Configuration(
host="https://api.mypurecloud.com",
client_id=CLIENT_ID,
client_secret=CLIENT_SECRET,
grant_type="authorization_code",
redirect_uri=REDIRECT_URI,
scopes=["analytics:conversation:view"]
)
# Set the authorization code in the configuration
# The SDK will use this to fetch the token on the first API call
config.access_token = None # Force token refresh
config.authorization_code = code
api_instance = AnalyticsConversationsApi(config)
# Define the query
from datetime import datetime, timedelta
end_time = datetime.utcnow()
start_time = end_time - timedelta(hours=24)
query_body = QueryConversationsDetailsRequest(
date_from=start_time.isoformat() + "Z",
date_to=end_time.isoformat() + "Z",
size=100,
query_type="summary",
group_by=["wrapupcode"]
)
try:
response = api_instance.post_analytics_conversations_details_query(body=query_body)
print(f"Retrieved {len(response.entities)} conversation summaries on behalf of user.")
except ApiException as e:
print(f"API Exception: {e}")
raise e
if __name__ == "__main__":
# Start the local server to handle the callback
server_address = ('', 8080)
httpd = http.server.HTTPServer(server_address, OAuthCallbackHandler)
print("Starting local server on port 8080...")
print("Please visit the Genesys Cloud login URL to initiate the flow.")
# In a real application, you would redirect the user to:
# https://login.mypurecloud.com/as/authorization.oauth2?
# response_type=code&
# client_id={CLIENT_ID}&
# redirect_uri={REDIRECT_URI}&
# scope=analytics:conversation:view&
# state=random_state_string
httpd.serve_forever()
Key Distinction:
- The
configuration.authorization_codeproperty is set manually after the redirect. - The SDK uses this code to call
/oauth/tokenwithgrant_type=authorization_code. - The resulting token is tied to the user who logged in. This allows the API call to access data that the user has permission to see, even if the application itself does not have broad organizational permissions.
Edge Cases:
- Code Expiration: Authorization codes expire quickly (usually 10 minutes). If the user delays, the code becomes invalid.
- State Parameter: Always include a
stateparameter in the initial redirect to prevent CSRF attacks. Verify the state in the callback. - Multiple Users: If your application serves multiple users, you must manage separate token caches for each user ID. The SDK’s default caching is single-user focused. For multi-tenant apps, implement a custom
AccessTokenProviderthat stores tokens in a database keyed by user ID.
Step 4: Processing Results and Pagination
Both flows return the same data structure. However, large reports require pagination. The entities array contains up to size records. The total field indicates the total number of records matching the query.
Pagination Logic:
def fetch_all_conversations(api_instance: AnalyticsConversationsApi, query_body: QueryConversationsDetailsRequest) -> list:
"""
Fetches all conversations by handling pagination.
"""
all_conversations = []
page_number = 1
total_pages = 1
while page_number <= total_pages:
query_body.page = page_number
response = api_instance.post_analytics_conversations_details_query(body=query_body)
all_conversations.extend(response.entities)
total_pages = response.total // response.page_size + (1 if response.total % response.page_size > 0 else 0)
page_number += 1
return all_conversations
Note: The post_analytics_conversations_details_query endpoint supports pagination via the page parameter in the request body. Always check response.total to determine the number of pages.
Complete Working Example
Below is a complete, copy-pasteable Python script that demonstrates the Client Credentials flow. This is the recommended approach for server-side reporting applications.
#!/usr/bin/env python3
"""
Genesys Cloud Reporting Script using Client Credentials Grant.
This script retrieves conversation summaries for the last 24 hours.
"""
import os
import sys
import json
from datetime import datetime, timedelta
from genesyscloud.rest import Configuration
from genesyscloud.analytics.api import AnalyticsConversationsApi
from genesyscloud.analytics.model import QueryConversationsDetailsRequest
from genesyscloud.rest import ApiException
def get_config() -> Configuration:
"""
Creates and returns the SDK configuration using Client Credentials.
"""
client_id = os.getenv("GENESYS_CLIENT_ID")
client_secret = os.getenv("GENESYS_CLIENT_SECRET")
if not client_id or not client_secret:
raise ValueError("GENESYS_CLIENT_ID and GENESYS_CLIENT_SECRET must be set.")
return Configuration(
host="https://api.mypurecloud.com",
client_id=client_id,
client_secret=client_secret,
grant_type="client_credentials",
scopes=["analytics:conversation:view"]
)
def fetch_conversation_summaries(config: Configuration) -> list:
"""
Fetches conversation summaries from Genesys Cloud.
"""
api_instance = AnalyticsConversationsApi(config)
# Define the time range
end_time = datetime.utcnow()
start_time = end_time - timedelta(hours=24)
# Construct the query
query_body = QueryConversationsDetailsRequest(
date_from=start_time.isoformat() + "Z",
date_to=end_time.isoformat() + "Z",
size=250, # Max page size
query_type="summary",
group_by=["wrapupcode"],
sort_by=["startTime"]
)
conversations = []
page = 1
total_pages = 1
try:
while page <= total_pages:
query_body.page = page
response = api_instance.post_analytics_conversations_details_query(body=query_body)
conversations.extend(response.entities)
total_pages = response.total // response.page_size + (1 if response.total % response.page_size > 0 else 0)
page += 1
return conversations
except ApiException as e:
print(f"API Error: {e.status} - {e.reason}")
print(f"Body: {e.body}")
raise e
def main():
try:
config = get_config()
conversations = fetch_conversation_summaries(config)
# Output the results
output_file = "conversation_summaries.json"
with open(output_file, "w") as f:
json.dump(conversations, f, indent=2)
print(f"Successfully retrieved {len(conversations)} conversations.")
print(f"Results saved to {output_file}")
except Exception as e:
print(f"Error: {e}")
sys.exit(1)
if __name__ == "__main__":
main()
Common Errors & Debugging
Error: 401 Unauthorized
Cause: The client ID or secret is incorrect, or the token has expired.
Fix: Verify the credentials in the Genesys Cloud Admin Portal. Ensure the OAuth client is enabled. For Client Credentials, the SDK automatically refreshes tokens, but if the initial exchange fails, it raises a 401.
Error: 403 Forbidden
Cause: The OAuth client lacks the required scope (analytics:conversation:view), or the service account does not have organizational permissions to view analytics.
Fix:
- Go to Organization > API Access > [Your Client] > Scopes.
- Add the
analytics:conversation:viewscope. - Go to Organization > Users > [Service Account User] > Roles.
- Ensure the user has a role that grants access to analytics (e.g., Supervisor or a custom role with Analytics permissions).
Error: 429 Too Many Requests
Cause: The application has exceeded the Genesys Cloud API rate limit.
Fix: Implement exponential backoff. The SDK does not handle this automatically.
import time
def api_call_with_retry(api_func, max_retries=3):
for attempt in range(max_retries):
try:
return api_func()
except ApiException as e:
if e.status == 429:
wait_time = 2 ** attempt
print(f"Rate limited. Waiting {wait_time} seconds...")
time.sleep(wait_time)
else:
raise e
raise ApiException(status=429, reason="Max retries exceeded")
Error: 400 Bad Request
Cause: The query parameters are invalid, such as an invalid date format or an unsupported group_by field.
Fix: Validate the QueryConversationsDetailsRequest object. Ensure date_from and date_to are in ISO 8601 format with a Z suffix.