We have introduced the latest date-based, versioned OAuth API for token issuance and introspection, as announced previously here. As adoption of the new OAuth API grows, we are beginning to deprecate the legacy v1 OAuth API. As part of this transition, a new REVOKE endpoint is also being introduced for the latest date-based versioned OAuth API, and the v1 API will be fully deprecated on February 16th, 2027.
The following v1 OAuth API endpoints will be deprecated:
POST /v1/tokenGET /v1/access-tokens/{token}GET /v1/refresh-tokens/{token}DELETE /v1/refresh-tokens/{token}These endpoints accept sensitive information and tokens in query parameters or the path, potentially exposing secrets in logs, browser history, or application telemetry.
Important note: The following v1 OAuth API endpoint: DELETE /v1/refresh-tokens/{token}, will be replaced by a new POST /oauth/2026-03/token/revoke endpoint.
Review all applications and integrations using the deprecated v1 OAuth API endpoints. Migrate to the latest date-based versioned OAuth API endpoints:
POST /oauth/2026-03/tokenPOST /oauth/2026-03/token/introspectPOST /oauth/2026-03/token/revokeas soon as possible.
The v1 OAuth API endpoints will remain accessible until February 16th, 2027. All developers are strongly encouraged to complete migration to the date-based versioned OAuth API before this date to avoid service interruptions. Our latest API documentation provides migration guidance and usage examples for the latest OAuth API endpoints.
Questions or comments? Please join us in the developer forum for a peer-to-peer discussion.