Major AI Clients Shipping With Broken OAuth Implementations

Several widely used AI clients—including Claude Code, Claude Desktop, Cursor, LibreChat, and Amazon Q CLI—have failed to implement the refresh-token flow in OAuth, leading developers to rely on long-lived tokens. The post provides a matrix of 14 major clients, linking to feature requests, pull requests, and forum discussions on the issue. A temporary workaround for security-conscious users and a best practices guide for developers are also mentioned. The reference will be updated monthly to track progress on these open requests.