Hi everyone,
I'm currently implementing an integration using Genesys Cloud Digital Bot Connector v2, where our custom service acts as a BCSP (Bot Connector Service Provider) as described in the official documentation:
https://developer.genesys.cloud/commdigital/textbots/digital-botconnector-customer-api-spec
We are building a BCSP-compliant endpoint to handle bot interactions (web messaging or whatsapp) from Genesys Cloud.
The BCSP is deployed on Google Cloud Run.
Genesys Cloud (Digital Bot Connector) calls our BCSP via HTTPS following the customer API spec.
From the architecture described in the documentation:
- Genesys Cloud acts as the client
- Our service implements the BCSP interface
The BCSP model appears to rely on static configuration of HTTP headers for authentication (e.g., API keys or bearer tokens configured in the integration).
However, in our environment (GCP / Cloud Run), standard best practices typically involve, for example, short-lived OAuth2 access tokens or IAM-based authentication.
This creates a mismatch because the Digital Bot Connector does not seem to support dynamic token retrieval or refresh
and we cannot directly use GCP-native identity-based authentication from Genesys.
I would like to understand how others approached this in real implementations of a BCSP.
How are you securing your BCSP endpoint?
If you are using tokens:
- How do you handle token rotation?
- Are you using long-lived credentials or rotating them manually?
Have you introduced an intermediate component between Genesys Cloud and the BCSP?
For those using Cloud Run, have you:
- Exposed the BCSP as a public endpoint with custom auth?
- Or implemented a proxy layer to bridge Genesys with IAM-protected services?
- Found a way to leverage Identity Tokens / service accounts in this setup?
Any feedback, reference architectures, or lessons learned from production BCSP implementations would be extremely helpful.
Thanks!
#DigitalChannels------------------------------
Marco Brunetti
------------------------------