Genesys Cloud - Main

Team,

We are creating an agentless campaign and that campaign should be triggered from the back end application based on demand.

As checked, Genesys also supports sending emails following trigger events.  To achieve the same, we are creating an oAuth section for Agentless campaign to authenticate the client with a token using Grant type as "Code Authorization". 

Since its a third party web application triggering the event , Are we good to use the "Client Credentials" as Grant type or we need to go with "Code Authorization" ? 

• Authorization Code Grant - A two-step authentication process where a user authenticates with Genesys Cloud, then the client application is returned an authorization code. 
• Client Credentials Grant - A single-step authentication process exclusively for use by non-user applications (e.g. a Windows Service or cron job). 

Hi Hemanthkumar,

Yes, the 'Client Credentials' is the correct choice for your case.

Why Client Credentials is Correct:

• Non-User Context: The core of your scenario is that there's no user interaction involved in triggering the email. It's a system-to-system (your backend application to Genesys Cloud) interaction. Client Credentials Grant is specifically designed for this. Your backend application acts as the "client" and authenticates itself with Genesys Cloud.
• Machine-to-Machine Authentication: Your application, running on your server, needs to authenticate and authorize itself to use Genesys Cloud services. There's no user logging in or approving the action.
• Simplified Flow: Client Credentials is a single-step process. Your application sends its client ID and client secret, and receives an access token in return. This is much simpler and more suitable for a background process than the redirection and user interaction required by Authorization Code.
• Security Considerations: You avoid storing user credentials on your backend. The backend application only needs its own client credentials, which are under your control.
• "On Demand" Triggering: Client Credentials is perfect for on-demand, event-driven triggers. Your backend can get a token whenever it needs to send an email, without any prior user setup or interaction.

Why Authorization Code is Incorrect:

• Requires a User: The Authorization Code grant is fundamentally designed for scenarios where a user is logging in and granting permission to an application to access resources on their behalf. The two-step process involves:
  1. The user being redirected to Genesys Cloud to log in.
  2. Genesys Cloud returning an authorization code to your application (via a redirect URI).
  3. Your application exchanging that authorization code for an access token.
• No User Interface: In your agentless campaign, there's no web page where a user would log in to Genesys Cloud. The entire process is automated and in the background. There's no place for the user to interact.
• Redirect URI Problem: The Authorization Code grant requires a pre-configured redirect URI. This URI is where Genesys Cloud sends the authorization code. For a backend-only process, this redirect is unnecessary and often impossible to handle gracefully.
• Short-Lived Tokens (and Refresh Tokens): Authorization Code grants often result in short-lived access tokens. While refresh tokens are a mechanism to get new access tokens without user interaction, this adds complexity that's avoided entirely with Client Credentials.

In summary:

Because your campaign is triggered by a backend application (acting as a client) without any user involvement, the Client Credentials Grant is the appropriate and secure choice. It's designed specifically for this type of machine-to-machine authentication. Authorization Code would introduce unnecessary complexity and is fundamentally incompatible with the agentless nature of your campaign.

Thanks much Orhun and clarifying the questions. We are good to move forward now.