Several Central Dispatch API operations - specifically Market Intelligence (pricing) and Marketplace (listing creation) - began returning 403 Forbidden and 402 Payment Required errors in production. This impacted the ability to fetch CD pricing data and post orders to Central Dispatch.

Root Cause

Central Dispatch provides two distinct authentication flows, each requiring its own set of API credentials (Client ID / Client Secret):

• Authorization Code Flow - used for authenticating Central Dispatch customers (OAuth login, token exchange, token refresh)
• Client Credentials Flow - used for server-to-server API calls (pricing lookups, listing creation)

Our system was configured with only one set of credentials (57fd8af0-...), which was being used for all operations -
both OAuth authentication and direct API calls. This credential set is designated by Central Dispatch exclusively for
the Authorization Code Flow (OAuth).

A second set of credentials (c01cc60e-...) had been issued to us by Central Dispatch for the Client Credentials Flow,
but it was never integrated into the system. There was a brief attempt to swap credentials on January 6th, which was
reverted within minutes due to the lack of a proper dual-credential architecture at the time.

Why It Worked Before

The single-credential configuration likely worked initially because Central Dispatch had not yet enforced strict
permission boundaries between the two flows. Once Central Dispatch tightened their application-level permissions and
product allocation policies, the OAuth-only credentials were no longer authorized to access server-to-server endpoints
such as Market Intelligence and Marketplace APIs.

Resolution

The system has been updated to support both credential sets simultaneously:

• User login, token exchange, token refresh → Authorization Code flow (57fd8af0-...)
• Pricing lookups, listing creation → Client Credentials flow (c01cc60e-...)
• Dispatch, documents, carrier search, etc. → Authorization Code / user token (57fd8af0-...)

Changes made:

• CentralDispatchService now accepts separate OAuth and API credentials
• Configuration restructured to define both credential sets independently
• CdPricingService and PostToCD operations switched to Client Credentials flow
• All other customer-specific operations remain on the OAuth token as required by the CD API specification

Preventive Measures

• Diagnostic logging has been added to CD API calls to surface which credential/token is being used in real time
• Configuration now explicitly separates OAuth and API credentials, preventing accidental misuse