Planned Changes to the API
2025.04.14 – User API Key Deprecation and OAuth 2.0 Transition
We are phasing out the legacy User API Key login flow, which uses the oidcLogin
endpoint to exchange an OpenID Connect id_token
for a BambooHR-specific API key. This custom login mechanism is being replaced by standard OAuth 2.0 access tokens, which offer stronger security, clearer permission scopes, and broader industry support.
As part of this transition, applications still using oidcLogin
must include the legacy.login
scope in the scope
field of their token.php
request by June 30, 2025. This ensures the system can properly authorize the request and present the appropriate consent to users. Requests missing this scope will be rejected after the deadline.
While existing applications may continue to use oidcLogin
for now (with the required scope), we strongly recommend migrating to OAuth 2.0 as soon as possible. OAuth 2.0 access tokens are now the recommended and fully supported method for authenticating with the BambooHR API.
Updated about 1 month ago