PKCE grant isn't supported with Embedded Framework yet, it's in development and should be released soon according to the roadmap
------------------------------
Jan Heinonen
Contact Center Specialist
GlobalConnect AB
------------------------------
Original Message:
Sent: 04-23-2026 17:11
From: Andrew Dong
Subject: How to utilize PKCE for Private Deployment of Embeddable Framework
Bump
------------------------------
Andrew Dong
Original Message:
Sent: 04-17-2026 16:07
From: Andrew Dong
Subject: How to utilize PKCE for Private Deployment of Embeddable Framework
Hi Fernando,
Thanks for replying.
I am still currently using `User.getAuthToken` but I see the following warning in my console:
Whenever I try using the auth token to make API requests to Genesys Platform, I receive a CORS issue. In my OAuth with the PKCM grant type, I have my application's URL under the list of authorized redirect URIs - similar to what I've done previously for implicit grant.
> The main gap right now is that the documentation does not yet provide a detailed "code-level migration guide" from implicit to PKCE for the Embeddable Framework. However, based on what is officially published, the change is handled at the authentication layer (OAuth configuration), not at the framework API level.
Does this mean that we don't need to make any adjustments to the framework.js file and all changes for the migration are done at the OAuth config level?
------------------------------
Andrew Dong
Original Message:
Sent: 04-17-2026 15:36
From: Fernando Sotto dos Santos
Subject: How to utilize PKCE for Private Deployment of Embeddable Framework
Hello Andrew,
You're right to look into this now, the deprecation of the implicit grant means that moving to PKCE is the correct path, especially for Embeddable Framework use cases.
Based on the current Genesys Cloud documentation, the migration for private deployments of the Embeddable Framework is primarily focused on the OAuth client configuration, rather than a change in how you retrieve the token within the framework itself.
For private deployments, the official guidance still states that you should create an OAuth client of type "Genesys Cloud Embeddable Framework" and use Authorization Code Grant with PKCE (recommended). Once that is configured, the Client ID must be added to the clientIds parameter in your framework.js configuration.
From what is documented today, there is no indication that the User.getAuthToken method is being deprecated or replaced for private deployments. This method is still referenced in the context of Embeddable Framework implementations, and the documentation continues to associate private deployments with retrieving the user token via the framework.
The main gap right now is that the documentation does not yet provide a detailed "code-level migration guide" from implicit to PKCE for the Embeddable Framework. However, based on what is officially published, the change is handled at the authentication layer (OAuth configuration), not at the framework API level.
------------------------------
Fernando Sotto dos Santos
Consultor de Atendimento Senior Grupo Casas Bahia
Original Message:
Sent: 04-17-2026 10:40
From: Andrew Dong
Subject: How to utilize PKCE for Private Deployment of Embeddable Framework
Hello!
I recently learned about the deprecation of the implicit grant OAuth type which my application uses for grabbing auth tokens from the embeddable framework to make API requests to Genesys Platform.
I saw that in the most recent release notes from April 13th that the embeddable framework now supports PKCE.
I was wondering what are the steps to do the migration? The current documentation doesn't really specify anything other than selecting PKCE as the grant type.
Do we still call User.getAuthToken?
Thanks!
#EmbeddableFramework
------------------------------
Andrew Dong
------------------------------