Advance Notice: All ORCID websites, including the Registry (Public and Member APIs and the user interface), and, will be unavailable from 2pm UTC on December 15 for up to eight hours for a scheduled hardware upgrade. We apologize for any inconvenience.

Authorization codes used twice will revoke token

This announcement is to inform you that we’re changing the behavior when you attempt to exchange a single authorization code multiple times. Currently when an authorization code is exchanged the first time we return an access token, if the authorization code is used again we return an error message but take no action on the token. With this update, on the second exchange we’ll continue to return an error message but will also revoke the token that was generated on the first exchange.

This update brings our API behavior in line with the suggestions in the OAuth2 Framework. We do not expect this change to affect any integrations as authorization codes should never be exchanged more than once, but if you have any concerns please let us know.