Why does this setting prevent the Zendesk Web Widget Single Sign-On integration from establishing a secure token exchange in Genesys Cloud?
We are migrating the digital channel layer from Zendesk Support to Genesys Cloud Messaging. The goal is to maintain SSO for agents coming from the Zendesk widget. We configured the OAuth2 credentials and set the redirect URI in the Genesys Cloud security settings. The environment is EU1.
When testing the flow, the authentication handshake fails at the token exchange step. The error log in the Architect flow shows a clear rejection.
Error 403: Forbidden. The client credentials do not have permission to access the requested resource. Please verify the OAuth2 scope configuration.
This is confusing because the same credentials work for the Zendesk API data migration scripts. We checked the admin:read and user:read scopes, but the SSO flow seems to require something more specific for digital channel handoffs. Is there a specific security profile or capability missing in the Genesys Cloud user role that maps to the Zendesk agent profile? We need this to work before the cutover on Friday.