API News & Updates

API 2.1 now live

We are delighted to announce that the latest version of our API - version 2.1 - is now live. 
The only difference between 2.0 and 2.1 is in the format of the ORCID iD, now updated to the HTTPS canonical form: https://orcid.org/0000-0001-2345-6789. There are no other functional changes to API calls or the XSD in this release. If you prefer to stay on 2.0, please rest assured it will receive the same support and sunset date as 2.1 (and we hope to push the sunset date out as far as possible).

Auth code behavior update: Tokens revoked if same auth code is used twice

Starting November 14, 2017, when an authorization code is used to generate access tokens twice, then all access tokens and refresht okens resulting from that authorization code will be revoked. We do not expect this change to affect any integrations but wanted to make everyone aware of the update.

Currently authorization codes can only be used once and must be used within 10 minutes of being generated.

Authorization codes used twice will revoke token

This announcement is to inform you that we’re changing the behavior when you attempt to exchange a single authorization code multiple times. Currently when an authorization code is exchanged the first time we return an access token, if the authorization code is used again we return an error message but take no action on the token. With this update, on the second exchange we’ll continue to return an error message but will also revoke the token that was generated on the first exchange.

Use root url when requesting OAuth tokens

Recently we have been making several changes to improve the ORCID API; one is standardizing the url used during the token exchange so it is the same on both the Public and Member API, and ending support for api-specific urls.