We're opening beta access to a new OAuth 2.1 flow for monday apps, and inviting partners and developers to test it before broader release.
If you have a live app on monday.com that authenticates users via OAuth, this is for you.
Why OAuth 2.1
The new flow brings short-lived access tokens, refresh tokens, and token revocation to monday apps - core OAuth 2.1 concepts that match how modern OAuth works across the web.
What this changes for your app
- Standard OAuth library support. The new flow exposes its configuration - authorization URL, token URL, supported scopes, and other settings - at a single discovery URL (RFC 8414). Modern OAuth libraries fetch this URL and auto-configure, so you don't need to set each value manually.
- Background token refresh. Refresh tokens renew access tokens in the background, so users don't need to reauthorize each time an access token expires.
- Token revocation. A new API lets developers revoke access and refresh tokens at any time.
- Aligned with industry security standards. The new flow follows OAuth 2.1 and the current OAuth security best practice (RFC 9700). Token rotation is handled by the platform.
About the beta program
This beta is part of our rollout, designed to surface developer feedback and detect issues early.
Beta participants will receive:
- A direct line to engineering for blockers and edge cases
- Influence on documentation, error messages, and migration tooling
- Code samples, and the migration guide delivered directly to participants
- Early access ahead of broader rollout
We'll ask you to test the flow on a draft version of your app and share what you find - bugs, edge cases, doc gaps, and how this lands for your install and onboarding flow.
When you promote the draft to live, the new flow applies to all users of your app across every installed account.