OAuth Server Enhancements

Exciting changes for OCLC API users

OCLC continues to prioritize API security and the user experience. In the second half of 2019 we have many upcoming changes to enhance OCLC APIs.

New OAuth 2.0 endpoints

Starting immediately, OCLC API customers can take advantage of OAuth 2.0 endpoints that conform to security standards. 

This change will provide OCLC customers with more secure access to OCLC APIs and a more seamless experience. This will speed adoption and make OCLC APIs easier to test in standard API clients and tools. 

Libraries using our custom clients can immediately begin migrating to standard OAuth clients. View the documentation for instructions on getting started. The existing OAuth endpoints will be deprecated in the next 12 to 18 months. 

Additional updates coming soon

  • WSkey form updates: API customers must now choose the type of application they’re building when requesting a WSkey. This update enhances API security and allows OCLC to better troubleshoot and support applications.

  • Automatic WSkey lockout: 5 failed authentication attempts in 5 minutes will result in WSkeys being disabled. WSkey administrators can reenable WSkeys via the WSkey Management UI: https://platform.worldcat.org/wskey/.

  • Default users associated with WSkeys: Applications will no longer be able to specify user information when requesting an access token. Machine-to-machine applications using WSkeys will have default users assigned to them and OCLC will update WSkeys with appropriate default users. This will improve the user experience because API customers will no longer need to create a user and discover the related identifiers.

  • Updated OAuth flow for mobile clients: Mobile applications can now use the Explicit + PKCE flow to obtain access tokens. The user agent/mobile flow will be sunset in an upcoming release to be determined. This is a security enhancement to conform with OAuth community best practices. 

Next steps

Developers creating or maintaining applications using the WorldCat Metadata API and any WMS API should begin migrating to the new OAuth 2.0 endpoints. We are working with developers of MarcEdit and the University of New Mexico Label Application to ensure they are upgraded in a timely manner. Users of the WorldCat MarcEdit integration and the UNM Label Application do not need to upgrade at this time.

Developers creating or maintaining mobile applications should begin using the Explicit + PKCE flow. 

Also, we are actively working with our integration partners on this transition to ensure workflows are not interrupted. 

If you have question about any of these changes, please contact devnet@oclc.org.


  • Karen Coombs

    Karen Coombs

    Senior Product Analyst