Deprecation: localhost redirect URIs for dynamically registered OAuth apps

Using a localhost address as the OAuth redirect URI for dynamically registered (DCR) apps is deprecated. From 1 August 2026 Teamwork will stop accepting these redirect URIs, both at registration and at token exchange. If your integration registers itself through Dynamic Client Registration (RFC 7591) and redirects back to a local address, you need to migrate to a non-localhost HTTPS redirect URI before that date.

Who is affected

You are affected only if both are true:

  • Your app is registered via Dynamic Client Registration (it was not created and installed through a specific Teamwork site/installation), and

  • One or more of its redirect URIs points at the local machine: localhost, 127.0.0.1, or ::1 (any port, any scheme).

Apps registered and installed normally through the Developer Portal are not affected.

What changes during the deprecation window (16 June – 1 August 2026)

Your integration keeps working, but responses from the authorization and token endpoints now carry standard deprecation signals so you can detect this programmatically:

Deprecation: @1781568000
Link: <https://docs.teamwork.com/oauth-dcr-localhost-deprecation>; rel="deprecation"; type="text/html"
Sunset: Sat, 01 Aug 2026 00:00:00 GMT
Link: <https://docs.teamwork.com/oauth-dcr-localhost-sunset>; rel="sunset"; type="text/html"

  • Deprecation (RFC 9745) — the date the feature became deprecated, as a Unix timestamp (@1781568000 = 16 June 2026).

  • Sunset (RFC 8594) — the date the feature is removed (1 August 2026).

  • The Link headers point to this page and to the removal notice.

No tokens are blocked yet — this is your window to migrate.

What to do

  1. Register or update your app to use a hosted HTTPS redirect URI you control (for example, https://app.example.com/oauth/callback).

  2. For native/desktop/mobile apps that cannot host a URL, switch to a private-use URI scheme (a custom scheme such as com.example.myapp:/oauth/callback).

  3. For local development, front your local server with an HTTPS tunnel (so the registered redirect URI is a public HTTPS host, not localhost).

  4. Remove the localhost / 127.0.0.1 / ::1 redirect URIs from your app once migrated.

⚠️ After 1 August 2026, requests that still use a localhost redirect URI will fail.