Deprecated: query-string credentials on `POST /v1/auth`
Announced: 2016-June-01
Removal date: 2026-December-04
Affected endpoint: POST /v1/auth
What's changing
Sending credentials as query-string parameters on POST /v1/auth?client_id=...&client_secret=... is deprecated. You must migrate to passing the credentials as POST body variables before the removal date. After that, query-string authentication will return 403 Forbidden.
No other endpoints are affected. The response shape, token format, and downstream API behavior are unchanged.
Only new credentials created after 1st of June are affected, existing credentials must be migrated before January the 4th 2027.
Why
As a security best practice, credentials should travel in the request body rather than the URL. TLS encrypts URLs in transit, but URLs are treated as non-sensitive metadata once a request is received - access logs, reverse proxies, and CDNs routinely capture them. Sending credentials in the body keeps them out of those systems and prevents accidental exposure in logs. This change brings your integration in line with that standard.
How to migrate
Send credentials in the request body. Both form-encoded and JSON are accepted, as per the API documentation . See the documentation for examples in different programming languages.
Form-encoded:
curl -X POST "https://api.personio.de/v1/auth" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"
// Or JSON
curl -X POST "https://api.personio.de/v1/auth" \
-H "Content-Type: application/json" \
-d '{"client_id":"YOUR_CLIENT_ID","client_secret":"YOUR_CLIENT_SECRET"}'Credential rotation
Only your request format needs to change. As an additional security best practice, we also recommend taking this opportunity to rotate your credentials through the standard credential-management flow.