--- number: 45468 slug: 45468-breaking-change-oauth-token-endpoint-will-return-http-200-instead-of-201 published: 2026-05-01 discussion: https://github.com/orgs/supabase/discussions/45468 labels: - integrations - breaking-change page: https://supabase.com/changelog/45468-breaking-change-oauth-token-endpoint-will-return-http-200-instead-of-201 --- # Breaking Change: OAuth token endpoint will return HTTP 200 instead of 201 ## What's changing The [`/v1/oauth/token`](https://api.supabase.com/api/v1#tag/oauth/post/v1/oauth/token) endpoint currently returns HTTP `201 Created` on success. On **May 26, 2026**, this will change to HTTP `200 OK`. ## Why [OAuth 2.1 (section 3.2.3)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15#section-3.2.3) mandates a `200` response from token endpoints. Returning `201` is non-compliant and has caused token exchange failures with some strict OAuth clients. ## Am I affected? You're only affected if your integration explicitly checks for a `201` status code from this endpoint. For example, the following popular client implementations check for a successful 2XX range and are unaffected: - [MCP TypeScript SDK](https://github.com/modelcontextprotocol/typescript-sdk/blob/7cccc2aca81f4cd961d2a0ef53e879f68a01df73/packages/client/src/client/auth.ts#L1504) — uses `response.ok` - [Vercel AI SDK (`@ai-sdk/mcp`)](https://github.com/vercel/ai/blob/67df0a02842611eaf9325f985b79412e391d013a/packages/mcp/src/tool/oauth.ts#L691) — uses `response.ok` - [axios](https://github.com/axios/axios/blob/66337fc6fc238286231afd3e5ea385a10e15236a/lib/defaults/index.js#L162) — resolves for any 2XX by default If you're unsure, search your codebase for explicit `201` checks against this endpoint. ## What should I do? Rather than hardcoding a check for either `200` or `201`, we recommend checking for a successful 2XX response range — e.g. [`response.ok`](https://developer.mozilla.org/en-US/docs/Web/API/Response/ok) in the Fetch API. This is consistent with how popular OAuth client libraries handle token responses and will be resilient to either status code. ## Timeline | Date | Event | | --- | --- | | May 1, 2026 | Announcement published | | May 26, 2026 | Change takes effect |