Use root url when requesting OAuth tokens

Recently we have been making several changes to improve the ORCID API; one is standardizing the url used during the token exchange so it is the same on both the Public and Member API, and ending support for api-specific urls.

Please ensure that your integrations are using the root url, https://orcid.org/oauth/token (https://sandbox.orcid.org/oauth/token on the sandbox), to request access tokens. This applies for both tokens requested when exchanging an authorization code as part of the 3 step OAuth, and when using credentials to request a 2 step authorization code.

Since 2015, we have supported using both the root url (https://orcid.org/oauth/token) and the api urls (https://api.orcid.org/oauth/token and https://pub.orcid.org/oauth/token) to obtain access tokens. This change standardizes the exchange process and provides more security and stability for integrations. For example, calls to the public API url https://pub.orcid.org/oauth/token were rejected when the public API was down for two hours earlier this month, while the root url https://orcid.org/oauth/token remained available.

We plan to end support for tokens on the api urls with the sunsetting of version 1.2 of the API in the fourth quarter of 2017, and we will work with any members who have already upgraded to 2.0 and cannot make this additional change by then. If you need further information about how this may affect your workflow, let us know.