Hello,
"Additionally, are there any future plans to deprecate or restrict the classic Authorization Code grant in Genesys Cloud?"
Not at this stage. The deprecation is only for Implicit Grant flow - in two stages:
(stage 1) Beginning March 2026, the Implicit Grant option will no longer be available for new OAuth client creation.
(stage 2) By March 2027, Implicit Grant flow will not be supported/functional and all existing clients must migrate to the Authorization Code with PKCE grant flow for browser-based only login (or to another supported OAuth grant flow).
"Or is Authorization Code + PKCE mandatory for browser-based login scenarios regardless of where the exchange happens? (if so what is the core security reason behind it)"
Only Implicit Grant OAuth flow will be deprecated. You can use any of the other supported OAuth methods. If your implementation only involves a web based app (and no backend nor 3rd party Identity Provider), then, PKCE Grant will be the only OAuth available method for such scenario (i.e. implementation only involving a browser/client).
"Is it supported or recommended to migrate from Implicit → classic Authorization Code grant (without PKCE) for web login if the authorization code exchange happens only in the backend?"
I am not sure I understand what you imply with this question. If you have implemented a web app that is using Implicit Grant method, it likely means that Platform API requests (with the access token) are directly sent from your browser to Genesys Cloud.
If your question is to perform the Authorization Code Grant flow, involving your backend, and having the backend send back the Genesys Cloud access token to your web app/client, then it is not a good idea and not recommended. In this case, you should move to PKCE Grant flow. Authorization Code grant flow, involving a backend, implies that the backend will make request to Genesys Cloud on behalf of the user.
If your backend will be the one making requests to Genesys Cloud using the Platform API, then, yes, you can use that approach.
Note that if your web app is leveraging the Platform API SDK for Javascript, you should be able to migrate to the new flow with minimal changes. Switching from loginImplicitGrant method (javascript method) to loginPKCEGrant method.
Regards,
------------------------------
Jerome Saint-Marc
Senior Development Support Engineer
------------------------------
Original Message:
Sent: 01-02-2026 02:00
From: ARJUN T P
Subject: Migrating from Implicit Grant – Can we use Authorization Code grant instead of PKCE?
Hi
We are currently using the Implicit grant for web-based login in our integrated application and are planning to migrate due to the announced deprecation.
We already have an existing Authorization Code grant (with client secret) implementation used for backend API access, where the token exchange happens server-side.
Question:
Is it supported or recommended to migrate from Implicit → classic Authorization Code grant (without PKCE) for web login if the authorization code exchange happens only in the backend?
Or is Authorization Code + PKCE mandatory for browser-based login scenarios regardless of where the exchange happens? (if so what is the core security reason behind it)
Additionally, are there any future plans to deprecate or restrict the classic Authorization Code grant in Genesys Cloud?
Thanks in advance for clarification.
#Integrations
------------------------------
ARJUN T P
Engineer
Feebak by Fantacode
------------------------------