Simple Auth not so simple...can't create customer

Simple Auth looks like the way to go for us: I’m building a monitor which notifies an app when certain alert conditions are met- and while I could just build the app with the SDK and hope it works, I’m trying to understand the API, and specifically how customers, products and scoping works in this context.

I’ve used the Console to create a product, and to create an OAuth ClientID and secret. This particular client was initially scoped to “create customer” but I’ve changed that in the Console to all permissions. But when I try and use this, I get “Organization not found for user’s role”…and the docs are silent on organisations…

curl -s -X POST https://api.particle.io/v1/products/$slug/customers -u "$phoneappID:phoneappsecret" -d "email=cust8@example.com" -d "password=test8" -d "full_name=customer8" | jq '.'
{
  "ok": false,
  "error": "Organization not found for user's role."
}

However, using my own token DOES enable me to create a customer:

curl -H "Authorization: Bearer $mytoken" https://api.particle.io/v1/products/$slug/customers -d "email=cust6@example.com" -d "password=test6"
{"token_type":"bearer","access_token":"43aaaobfuscated29","expires_in":7776000,"refresh_token":"oooobfuscatedf8a31b3"}

But this customer is NOT able to claim a device- using the device claim API fails:

curl https://api.particle.io/v1/products/$slug?access_token=$cust6token
{"ok":false,"error":"Organization not found for user's role."}

although it can log on to the Particle app and initiate the setup of a new photon- that setup fails at the verify device ownership stage. At that time the device was online, but unclaimed.

Overall it seems to me I haven’t understood the scoping of customers and tokens and the specific APIs to use. Any and all help appreciated. Ideally I’d like a walkthrough for Single Auth product and customer setup similar to this for Two legged Auth from rickkas7 -unfortunately it doesn’t discuss using the API to claim a device, but discusses manually claiming the device over wifi, which I don’t need (I hope!).