Planned Changes to the API

2025.04.14 – User API Key Deprecation and OAuth 2.0 Transition

We are phasing out the legacy User API Key login flow, which uses the oidcLogin endpoint to exchange an OpenID Connect id_token for a BambooHR-specific API key. This custom login mechanism is being replaced by standard OAuth 2.0 access tokens, which offer stronger security, clearer permission scopes, and broader industry support.

As part of this transition, applications still using oidcLogin must include the legacy.login scope in the scope field of their token.php request by June 30, 2025. This ensures the system can properly authorize the request and present the appropriate consent to users. Requests missing this scope will be rejected after the deadline.

While existing applications may continue to use oidcLogin for now (with the required scope), we strongly recommend migrating to OAuth 2.0 as soon as possible. OAuth 2.0 access tokens are now the recommended and fully supported method for authenticating with the BambooHR API.