Of course, I post after working on it for 2 hours. After watching some Netflix, and coming back for 10 minutes, I figure it out. But hey, that’s life.
I was crisscrossing my customer and token generation. I put my client id and client secret as user and password in the body of the x-www-form-urlencoded body. This is not an alternative to basic auth, so the password was taken as the password for the user I created, not the client secret.
And evidently, you can’t generate a token for a user that has a password, which makes sense, because there’s a different API to generate that.
So, I deleted the old user, and created the new one using basic auth (client secret and credentials as Username and Password in the header). So I got back a response that differed slightly from the sample response. It also contained a scope field of the form:
Then, after trying the same curl command to generate the customer token, it worked, because the customer had been created with scope using client credentials.
All is well, and the IoT revolution marches on.