Changelog
Start typing to search…
Back to All

Breaking Change: Generate authorization code (Authorization Code Grant Flow)

April 15th, 2025 by Nathan Hall

Effective in API Version: v1
Type: Breaking Change

Staging Release Date: 26/04/2025
Staging Depreciation Date: 26/04/2025

Production Release Date: 06/05/2025
Production Depreciation Date: 06/05/2025

🔄 What’s Changing

  • The code parameter is now single-use and time-limited.
  • The response will include both an access token and a refresh token

Endpoint:
POST https://staging.adfin.com/api/oauth2/token

Example Request:
curl --location 'https://staging.adfin.com/api/oauth2/token' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'client_secret=YOUR_CLIENT_SECRET' \
--data-urlencode 'code={{code}}' \
--data-urlencode 'redirect_uri=https://your-platform.com/redirect'
{
    "refresh_token": "v1.MhlEYQMefCqqYCBk6yECWoEO3HFROz_W2UUTWXnFRolR6ZMJ1nG1sH1zJJYboLUsxhxQ0_s49nLJzDNCUjuZH0Y",
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjNjY1VXRGEtT3BjeTN6cl9GWlpmYyJ9.eyJodHRwczovL2F1dGguYWRmaW4uY29tL3JvbGVzIjpbImJpbGxlci1hZG1pbiJdLCJpc3MiOiJodHRwczovL2F1dGhlbnRpY2F0aW9uLmRldi5hZGZpbi5jb20vIiwic3ViIjoiYXV0aDB8NjdmYWIwMDkwNThmNGMxMjA2ZjM4Y2QwIiwiYXVkIjpbImh0dHBzOi8vbG9jYWwtYXV0aDAtYXBpLmFkZmluLmNvbSJdLCJpYXQiOjE3NDQ3MjY5ODQsImV4cCI6MTc0NDgxMzM4NCwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCBwaG9uZSBvZmZsaW5lX2FjY2VzcyIsImF6cCI6IkltSmh3MFFFNW9POTJuOEdiZUZkZmIwM2pUVDk1VlZ1In0.KXz2GltF-l2ezPu3PqxUH55Gjlc6ccZzz6ittDUCKF5F2TZyrKAp7ekFlw6-AfQ8nmONgpXF2Q0kuAsGiWAVte8J_KpH1McVbbfOWyiM3D4UjzhCTbFWkZ3rxVkn-GTWsC3LH2vkG0PLmXFOgbVceMXw2QkGMb9XzBg630CqIGQ4kzljEKCRqKZJr8xwpxP6XrM1fdib-HFRtsCMQ9Nw5ZeHiYDAG_F8lxxi9VYqUYWSumQvE3Bj2rNdbutpeJgLK75JULc-Qkq6z3wjAAmzBE2QuCfXR8RLEn1DwyDTxlJ_84KjHPqEmNFWMLhNgIU9XQ73HEWFNmIwfDb5kaTfCg",
    "expires_in": 86400,
    "token_type": "Bearer"
}

What’s new:

  • The code parameter is now single-use and time-limited.
  • The response will include both an access token and a refresh token

🚨 Impact

If you're persisting refresh tokens, you must ensure your integration stores and uses the newly issued token after each refresh. Failing to do so will result in authentication failures.

🔧 Migration Plan

  • Update your OAuth token handling logic to support refresh token rotation