Earlier this year, we updated our API Guide to let developers know that SoundCloud authentication is now operating on the OAuth 2.1 protocol, a popular open standard used by many API providers. This change needed to be made to ensure that we are staying up-to-date in maintaining the highest level of security possible to protect our platform from potential bad actors.
As a result, we must ask that our developer community adhere to this new standard as well. We are giving developers who already implemented SoundCloud authorization using OAuth 2.0 a grace period to transition their integrations to OAuth 2.1 and ask that these updates be made by October 1, 2024, at the latest. We will deprecate the OAuth 2.0 protocol after October 1, so your integration will no longer function properly should you fail to meet this deadline.
For reference, you can see the differences between these standards in the RFC. The most notable change is that PKCE is now required in order to securely exchange the auth code.
Please understand that we will not be making exceptions to this requirement. We will be notifying all developers of this update via email, and will continue to send reminders over the next months. As always, also be sure to keep an eye on this blog and our Developer Twitter account for other updates to come.