Vonage Contact Center Integration Permissions

Authentication Model

Authenticx authenticates to Vonage Contact Center using OAuth 2.0 client credentials grant. The integration exchanges a client_id and client_secret for a short-lived bearer token. That token is cached in memory and refreshed automatically before expiration. Credentials are stored in Azure Key Vault and never persisted in plaintext.

Required API Scopes

Three OAuth scopes must be present on the API credential you create in the VCC Admin Portal. Each scope maps to a distinct API surface. Authenticx requests no scopes beyond these three.

`interaction-content:read`

API: Vonage Interaction Content API

What it does: Grants read-only access to interaction records and call recording content.

Why it is required: This scope is the core of the integration. Authenticx uses it to discover which interactions occurred within a time window, retrieve interaction metadata, and download audio recordings for analysis. Without it the integration cannot function. The scope is read-only and does not permit creating, modifying, or deleting any data.

`users:read`

API: Vonage User Admin API

What it does: Grants read-only access to agent and user account information.

Why it is required: Each interaction includes a handling agent identifier. Authenticx resolves that identifier into agent metadata (name, email, agent code) so audio can be tagged correctly on ingest. The scope is read-only and does not permit modifying or creating user accounts.

`stats`

API: Vonage Insights Stats API

What it does: Grants read-only access to interaction-level statistics.

Why it is required: The Interaction Content API does not include all metadata needed for audio tagging. Call direction (inbound vs. outbound) is only available through the Stats API. Authenticx retrieves this once per interaction to enrich the metadata record. The scope is read-only and does not permit writing or modifying any data.

Required VCC User-Level Feature Permissions

Vonage's Interaction Content API enforces permissions at the user level, not just the credential level. Even with interaction-content:read correctly scoped, the API will only return content that the credential-owning user account is permitted to access in VCC. If these feature permissions are not set, authentication will succeed but recordings may be silently absent or incomplete.

The following three feature permissions must be enabled for the user account used to create the API credentials:

View inbound interaction content: Yes

Why it is required: Without this, inbound recordings are excluded from API responses with no error returned. The integration will simply not see those calls.

View outbound interaction content: Yes

Why it is required: Same as above for outbound calls. Both permissions are needed to ensure complete coverage across all interaction directions your team wants analyzed.

Access groups of users' content (overrides line permissions): Yes

Why it is required: Without this, the API only returns recordings for agents within the credential owner's direct reporting line, silently omitting everyone else. Enabling it allows Authenticx to retrieve recordings across all agent groups without requiring a privileged admin account.

Least Privilege Summary

Permission	Type	Access Level	Purpose
`interaction-content:read`	OAuth scope	Read-only	List, fetch, and download call recordings
`users:read`	OAuth scope	Read-only	Resolve agent identifiers to agent metadata
`stats`	OAuth scope	Read-only	Retrieve call direction and interaction stats
View inbound interaction content	VCC feature permission	Read-only	Access inbound recordings via the API
View outbound interaction content	VCC feature permission	Read-only	Access outbound recordings via the API
Access groups of users' content	VCC feature permission	Read-only	Access recordings across agent groups

All six items are read-only. Authenticx does not request and cannot perform any write, modify, or delete operations through these credentials.