Major AI Clients Shipping With Broken OAuth Implementations

Several widely used AI clients—including Claude Code, Claude Desktop, Cursor, LibreChat, and Amazon Q CLI—fail to implement the OAuth refresh-token flow. This forces developers to rely on long-lived tokens instead. The post highlights this as a security regression and provides a reference page tracking the status of 14 major clients.