This announcement is to inform you that we’re changing the behavior when you attempt to exchange a single authorization code multiple times. Currently when an authorization code is exchanged the first time we return an access token, if the authorization code is used again we return an error message but take no action on the token. With this update, on the second exchange we’ll continue to return an error message but will also revoke the token that was generated on the first exchange.
This update brings our API behavior in line with the suggestions in the OAuth2 Framework. We do not expect this change to affect any integrations as authorization codes should never be exchanged more than once, but if you have any concerns please let us know.