This release replaces the previous authorization layer with a full OAuth 2.1 implementation covering the grant types required for modern enterprise deployments. Authorization code flows now require PKCE for all public clients; a new machine client path implements the client credentials grant for service-to-service authentication without user involvement; and error responses across all grant paths return a structured JSON body with defined field names.
Grant types and client categories
- Authorization code with mandatory PKCE. Browser-based and native clients use the authorization code flow with a code challenge and verifier pair; the server rejects authorization requests that omit the challenge, closing the authorization code interception attack surface.
- Machine client credentials. Service accounts and background agents authenticate directly with a client ID and secret using the client credentials grant, without an end-user authorization step. The machine client profile is configured independently of the user-facing client registry.
- Refresh token rotation. Issued refresh tokens are single-use; the server issues a replacement on each use and revokes the prior token, limiting the window of exposure for a captured token.
Error handling
- Standardized error bodies. Authorization errors and token rejections return JSON bodies with
erroranderror_descriptionfields, making automated error handling reliable across all endpoints. - Machine client diagnostics. When machine client authentication fails — expired secret, mismatched scope, revoked client — the server returns a specific error code and description without exposing configuration internals.
Existing sessions and tokens issued under the previous authorization layer remain valid through their expiry; no forced re-authentication occurs on upgrade. Administrators configure the machine client registry through the authorization server administration panel.