Intermediate Reading #deprecation #end-of-life #migration #oauth

Reading Deprecation Notices

5 exercises — read a realistic SDK deprecation notice with a security rationale, migration path, and hard end-of-life deadline. Understand what is deprecated, why, and what action is required.

Reading deprecation notices: key elements
  • What is deprecated → the specific methods, options, or endpoints being removed
  • Why → the security or technical rationale for the change
  • End-of-life date → the hard deadline after which the feature stops working
  • Migration path → step-by-step replacement instructions
  • Support contact → where to get help if migration is blocked
0 / 5 completed
1 / 5
Deprecation Notice — @acme/payments SDK
DEPRECATION NOTICE — @acme/payments SDK v2 Authentication API
Published: 2026-05-01 | Effective End-of-Life: 2027-01-31

---

WHAT IS DEPRECATED

The following methods in @acme/payments are deprecated as of v2.8.0:

  - PaymentsClient.authenticate(apiKey)
  - PaymentsClient.refreshToken(token)
  - config.auth.legacyApiKey option

These methods rely on the legacy API key authentication scheme, which does
not support IP allowlisting, per-request scoping, or audit logging. They
will be REMOVED in v3.0.0, scheduled for release on 1 February 2027.

---

WHY WE ARE DEPRECATING

The legacy API key scheme has two significant limitations:
1. A single API key grants full account access. If compromised, all
   payment operations are exposed until the key is manually rotated.
2. Keys do not expire automatically. Teams frequently leave test keys
   active in production or fail to rotate after staff changes.

OAuth 2.0 client credentials (the replacement) addresses both: tokens
are scoped, short-lived, and generated per-environment.

---

MIGRATION PATH

Replace: PaymentsClient.authenticate(apiKey)
With:    PaymentsClient.authenticateOAuth(clientId, clientSecret)

1. Generate OAuth credentials in the Dashboard under
   Settings > API > OAuth Clients.
2. Store clientId and clientSecret in your secrets manager
   (not in .env files committed to source control).
3. Replace all calls to authenticate() with authenticateOAuth().
4. Remove any config.auth.legacyApiKey entries from your config files.
5. Test against the sandbox environment before deploying.

Full migration guide: https://docs.acmepayments.io/migrate/oauth

---

SUPPORT

- Legacy API keys continue to work until 2027-01-31.
- After that date, any request using a legacy key will receive HTTP 401.
- For migration assistance, contact developer-support@acmepayments.io.
According to this deprecation notice, what will happen on 1 February 2027?