Genesys Cloud - Developer Announcements!

 View Only

Sign Up

Back to discussions
Expand all | Collapse all

Deprecation: Token Implicit Grant (Browser) option for OAuth authorization

  • 1.  Deprecation: Token Implicit Grant (Browser) option for OAuth authorization

    Posted 21 days ago

    Summary

    The Token Implicit Grant (Browser) option is being deprecated when creating or editing OAuth clients. This change affects customers currently using the Implicit Grant flow, including those leveraging it in Embeddable Framework applications. Deprecation: Token Implicit Grant (Browser) option for OAuth authorization

    • Beginning March 2026, the Implicit Grant option will no longer be available for new OAuth client creation.
    • By March 2027, all existing clients must migrate to the Authorization Code with PKCE grant flow.

    The PKCE flow is already supported and provides stronger security in alignment with OAuth 2.0 best practices.

    No immediate action is required for existing clients, but customers should begin planning their migration to PKCE to ensure continued access and compliance ahead of the deprecation deadlines.

    Deprecation effective immediately.

    Removal planned on or after 09 March 2026.

    Effective Date

    Tuesday, November 11, 2025

    Details

    The OAuth 2.0 Security Best Practice documentation recommends against using the Implicit flow, and recommends using the authorization code flow with PKCE instead. The Implicit Grant flow was used/allowed in the past because it wasn’t really possible to implement the regular OAuth flow in a browser. However, times have moved on and technologies have changed to the extent that this is now possible, so the time has come to deprecate the more insecure Implicit Grant flow.

    Customer Impact

    From March 2026, the Implicit Grant option will no longer be available for new OAuth client creation, and by March 2027, existing clients must transition to the more secure Authorization Code with PKCE grant flow. From an API perspective, any applications that automate the creation of OAuth clients with the token implicit grant type will start failing from March 2026 and these applications will need to be updated to use the Authorization Code flow with PKCE instead.

    Impacted Resources

    POST /api/v2/oauth/clients

    PUT /api/v2/oauth/clients/{clientId}

    Issue References

    PURE-6071

    CWC-5674

    Contacts

    @David Murray  

    Please reply to this announcement with any questions. This helps the wider developer community benefit from the discussion. We encourage you to use this thread before contacting the designated person directly. Thank you for your understanding.



Related Content