SIP Recording Export Fails with 403 on Legal Hold Metadata

Could someone explain why bulk export jobs for SIP recordings are failing with a 403 Forbidden error when requesting chain of custody metadata?

We are processing legal discovery requests for voice calls. The recordings API endpoint /api/v2/recording/recordings returns the audio files successfully via S3 integration. However, when the export job attempts to fetch the associated recording_metadata for audit trails, it fails. This happens specifically for calls routed through our London BYOC edge.

The error response indicates a permissions issue on the metadata object, not the media file. We have verified that the service account has recording:view and recording:export permissions. The issue persists across multiple bulk export batches.

Is there a known gap in the permissions model for SIP metadata compared to digital channels like Webchat? We need the timestamps and agent IDs for the chain of custody report. The API logs show the request originates from our tenant’s IP range, which is whitelisted. Any insight into this specific 403 behavior would be appreciated.

Have you tried verifying the Role Permissions assigned to the service account? The error typically indicates that the identity lacks the specific Recording Export capability required for metadata retrieval.

Review the Security Profile in the Admin console. Ensure the account has explicit access to Legal Hold data, as this is often restricted by default in enterprise configurations.

Have you tried explicitly granting the recording:export:read permission to the service account? The 403 usually stems from missing legal_hold:access scopes in the security profile, which are separate from standard audio retrieval rights.