OIDC

Authorization Code with PKCE fails

Confirm redirect URI match, PKCE challenge method, client type, tenant host, and discovery metadata before retrying the browser flow.

• Use a public PKCE client for browser or native app flows.
• Validate callback URL casing and environment host.
• Inspect userinfo for tenant, organization, membership, and session context.

Operations

Webhook delivery or export looks incomplete

Check subscription state, secret rotation timing, failed-delivery history, replay attempts, and the requested CSV or NDJSON export window.

• Use replay for failed deliveries after fixing the receiver.
• Rotate secrets with one-time capture handling.
• Keep tenant and organization identifiers in the support case.

Device trust

Activation, lease, or gateway behavior is unexpected

Separate device identity, installation identity, license activation, offline lease, and certificate credential state when reviewing behavior.

• Confirm activation approval and seat assignment.
• Check heartbeat, lease expiry, grace policy, and renewal counter.
• For mTLS, confirm trusted-proxy or direct certificate termination configuration.

Enterprise

SSO or SCIM provider setup needs review

Validate issuer metadata, client credentials, redirect URI, provider key, allowed domains, SCIM token, and setup diagnostics.

• OIDC sign-in is the current supportable browser sign-in path.
• SCIM lifecycle provisioning uses connection-scoped bearer tokens.
• SAML setup data and diagnostics are supported, while host-side SAML browser runtime remains a current limitation.

Marketplace

Catalog, install, subscription, or seats fail

Review external-consumption policy, product and edition publication status, visibility, allowlist entries, installation status, subscription status, entitlement state, and seat assignments.

• Catalog eligibility is not just publication; visibility and allowlist rules also apply.
• A subscription requires an active product installation first.
• Provider-facing entitlement validation is a known follow-up area, not a current public endpoint.

Service clients

Client credentials call is denied

Confirm the Automation client, token endpoint, requested scopes, client secret or certificate material, API audience, and protected API scope policy.

• Do not reuse InteractiveWeb clients for machine-to-machine calls.
• Keep machine credentials in a secret store and rotate them when exposed.
• For manifest publishing, note that the current endpoint still has a Basic compatibility path.