Legacy Authority Authentication Endpoints — Deprecation Guidance
Announced: 1 November 2025
Sunset (removal no earlier than): 1 May 2026
Summary
StellaOps Authority previously exposed OAuth 2.1 endpoints at /oauth/token, /oauth/revoke, and /oauth/introspect to ease migration from early previews. Those aliases are now deprecated in favour of the canonical paths (/token, /revoke, /introspect). All responses from the legacy routes include:
Deprecation— RFC 7231 HTTP-date set to 1 November 2025.Sunset— HTTP-date advertising the planned removal on 1 May 2026.Warning— RFC 7234299warning describing the migration requirement.Link—rel="sunset"URI pointing back to this guidance.
No new features (DPoP nonces, audit upgrades, policy scopes) will ship on the legacy routes. After 1 May 2026 the aliases will return 410 Gone and be removed in the next major release.
Required Actions
- Service identities / CI pipelines – Update token, revocation, and introspection calls to target the canonical
/token,/revoke, and/introspectendpoints. Regenerate OpenAPI clients if they relied on the deprecated paths. - Gateway / proxy rules – Remove explicit rewrites that target
/oauth/*so traffic flows directly to the canonical paths. - Custom SDKs – Regenerate against the refreshed Authority OpenAPI spec (
/.well-known/openapi) which marks legacy operations asdeprecated: true. - Monitoring – Alert on the
authority.api.legacy_endpointaudit event or the299Warning header to verify migrations are complete.
Timeline & Support
| Date | Milestone |
|---|---|
| 1 Nov 2025 | Deprecation headers emitted, documentation published |
| Jan–Apr 2026 | Observability dashboards highlight remaining usage; support assists with migrations |
| 1 May 2026 | Legacy routes return HTTP 410 and will be removed in the next major release |
Questions? Contact the Authority Core guild or open a ticket with the API Governance Guild referencing AUTH-OAS-63-001.