Removal of v1 authentication tokens
At the end of 2021, the EVE SSO (and by extension, ESI) switched from one method (called v1) of authentication to another (called JSON Web Tokens). These JWTs are much more useful, both for 3rd party developers as for ESI itself. And moreover, with the whole world adopting OpenID Connect, JWT has become an industry standard.
Back then we announced that support for v1 will be removed at some point in the future. As you might have guessed: that moment has finally arrived. Currently the removal of this v1 authentication flow is scheduled for the 13th of May, 2025.
The main issue with v1 tokens is that for each request a centralized server needs to be contacted to check the validity of the token. This is, resource wise, very expensive. JWT tokens on the other hand can be validated without contacting a centralized server each request. This is much more efficient, easier to maintain, and easier to work with in general.
The new API Gateway will only support JWT tokens, and not v1 tokens. Currently this code is deployed, but deactivated (and as such, the old ESI router is still validating both v1 and JWT tokens). On the 13th of May, we will flip the switch and the API Gateway will start validating tokens. From this moment on v1 tokens will no longer be accepted. After that, we can finally remove the old ESI router.
We don’t make the choice to remove these things lightly. We first investigate what the impact will be, which applications are impacted, and if there is something we can do to mitigate that. In this case, we see that 0.5% of the authenticated traffic still uses this old authentication flow. Although this doesn’t sound like a lot, there are a few applications in there that require attention.
Most noticeable, NeoCOM (and NeoCOM II) is on that list. It is one of the mobile applications that uses ESI to bring EVE to your pocket. Sadly, both NeoCOM and NeoCOM II haven’t seen any update since 2020, a year before ESI switched authentication method. This also means we don’t expect NeoCOM to be updated any time soon. But if anyone is interested in making NeoCOM III, we are here to assist you in migrating over to the new JWT-based authentication flow.
Other than that, we also see a bunch of unnamed frameworks (like python-requests for example) on the list. We cannot see what application is behind that. In case you are not sure which authentication flow you use, please double check you use URLs that start with /v2, like /v2/oauth/authorize etc. See the above blog post for more details.
Currently the removal of the v1 authentication flow is planned for the 13rd of May, 2025. This is in roughly four weeks. If we can assist you in migrating over, please reach out on the EVE Discord in #3rd-party-dev-and-esi.
Fly safe,
CCP Stroopwafel & CCP Pinky