Summary
To strengthen platform security and ensure consistent permission enforcement across all user management APIs, we’re introducing stricter validation of OAuth client permissions.
After this change, OAuth clients without the required permissions will no longer be able to perform user management actions through the following endpoints:
Endpoint | Impacted Action |
POST /authorization/divisions/:divisionId/USER | Move users between divisions |
POST /users/:userId/invite | Send user invites |
PATCH /users/:userId | Update user information |
PUT /users/:userId/profile | Update user profile |
The changes will be applied on or after 01 December 2025.
Effective Date
Monday, December 1, 2025
Details
This update aligns API behavior with platform-wide permission standards and improves overall security posture.
Customer Impact
What You Need to Do
- Review your OAuth client permissions to ensure they include the appropriate scopes before this change takes effect.
- Update automation or integration scripts that rely on these endpoints to prevent failures after enforcement begins.
- Requests made without the correct permissions will now return an HTTP 403 Forbidden error.
Impacted Resources
POST /authorization/divisions/:divisionId/USER
POST /users/:userId/invite
PATCH /users/:userId
PUT /users/:userId/profile
Issue References
PLUG-1002
Contacts
@Ananya Singh Please reply to this announcement with any questions. This helps the wider developer community benefit from the discussion. We encourage you to use this thread before contacting the designated person directly. Thank you for your understanding.