HTTP 403 Forbidden on webhook delivery callback, combined with an invalid_grant region mismatch during OAuth handshake. Environment is BYOC on AWS, custom domain gc.acme-jp.net. Edge cluster sits in ap-northeast-1. Workato Genesys Cloud connector version is 3.1.2.
OAuth setup inside Workato isn’t cooperating. The connector defaults to https://api.mypurecloud.com/v2/oauth/token. Swapped it to https://login.gc.acme-jp.net/v2/oauth/token using a custom HTTP step, but the token response throws:
{
"error": "invalid_grant",
"error_description": "Region mismatch for BYOC tenant. Expected 'us-east-1', got 'ap-northeast-1'."
}
Client ID and secret are definitely correct. Ran the same creds through Postman against the login endpoint and it worked fine. Workato just times out after 30 seconds every time.
Webhook side is worse. Registered the Workato listener URL in GC Platform > Webhooks. Payload mapping looks okay, just pulling conversationId, direction, and mediaType. GC logs show Delivery Status: Failed (Edge routing restriction). Checked the VPC endpoints for the BYOC setup. The Edge egress whitelist only has the Workato IP range, but the callback still fails. Firewall logs show the connection actually reaches the listener, yet GC Edge marks it as rejected. Maybe the X-GC-Origin header is missing or malformed?
Connector config in Workato has a field for region, tried setting it to edge and ap-northeast-1, nothing changes. The low-code flow just hangs on the trigger step. Doing jack all with the default connector settings here.
Here is the webhook registration JSON:
{
"name": "Workato GC Listener",
"url": "https://hooks.workato.com/...",
"events": ["conversation:updated"],
"retryPolicy": "exponential",
"headers": {
"Authorization": "Bearer {{token}}"
}
}