Hello Marco,
The Digital Bot Connector (v2) currently supports two primary methods for authenticating requests to your BCSP endpoint:
Connection Secret
Mutual TLS (mTLS)
The most common approach is the Connection Secret, where you configure a header name and value in the Digital Bot Connector integration. That header is included with every request sent to your BCSP, and it's up to your service to validate it. If the header is missing or invalid, your endpoint should return a 403 Forbidden response.
This is a static credential. I couldn't find any support for dynamically retrieving tokens or automatically refreshing credentials, so your understanding is correct.
For environments where stronger authentication is required, you can also enable mTLS. This uses certificate-based authentication instead of relying solely on a shared secret, but it still doesn't provide a mechanism for rotating short-lived tokens or integrating directly with cloud IAM services.
Regarding GCP Cloud Run, I don't see a native way for Genesys Cloud to authenticate directly with GCP IAM or use Identity Tokens, but just because I don't see it doesn't necessarily mean it cant be done. The current model appears to assume long-lived credentials rather than OAuth2 or cloud-native authentication patterns.
If I were deploying this on Cloud Run, I'd probably consider one of these approaches:
Use a lightweight proxy or API Gateway between Genesys Cloud and Cloud Run. The proxy can validate the static Connection Secret from Genesys Cloud and then authenticate to Cloud Run using GCP Identity Tokens. This lets you keep your backend protected with IAM while presenting the authentication model that Genesys expects.
Expose the Cloud Run service and implement your own authentication. In this model, your application validates the Connection Secret on each request. I'd recommend storing the expected secret in Google Secret Manager rather than hardcoding it.
If security requirements are particularly strict, you could also combine the Connection Secret with your own request validation or signing mechanism to add another layer of protection.
Overall, I think the proxy approach is probably the cleanest solution because it bridges the gap between Genesys Cloud's static authentication model and GCP's identity-based authentication.
One thing I wasn't able to find in the documentation is any reference architecture for cloud-native deployments (GCP, AWS, or Azure), or guidance around automated token rotation, again not saying it can't be done.
Based on the available documentation, that doesn't appear to be a supported capability today, so if dynamic token rotation is a hard requirement, it would likely need to be implemented outside of the Digital Bot Connector itself.
Hope this helps!
------------------------------
Cameron
Online Community Manager/Moderator
------------------------------