Announcing Removal of Legacy API Endpoints and Insecure Connections

Back to overview

On March 1st, 2023, Sketchfab will be removing the following legacy features:

These changes will be completely seamless and will likely not affect 99.9% of Sketchfab users. If, however, you are a developer using the Sketchfab API and you think you might be using legacy features, please read on.

V0 and V1 Data API endpoints

The current version of the Sketchfab Data API is V3. This means that API URLs look something like /v3/models. V3 contains the latest features in terms of functionality and security, and is the most robustly documented.

What is changing?

On March 1st, 2023, the /v0/ and /v1/ endpoints will be completely deactivated. Attempting to access these endpoints will result in a 404 response, and any applications that depend on them will stop functioning.

What do I need to do?

If you are using V0 or V1 endpoints, you should migrate your application to use the V3 endpoints. Migrating to V3 is relatively painless. Other than changing “/v1/” to “/v3/” in URLs, there are only a handful of parameters with new names and objects with new shapes. Please visit the full Data API documentation for details.

Support for V2 of the Data API will continue until further notice, but we highly recommend migrating to V3 whenever possible. If you are starting a new project, you should use V3.

Support for TLS protocol versions 1.0 and 1.1

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network.”

The most recent version of TLS is 1.3. Versions 1.0 and 1.1 are now universally considered deprecated and insecure. ​​We have continued support for TLS versions 1.0 and 1.1 to maintain backward compatibility for customers that have older or difficult-to-update clients, such as browsers embedded inside other applications.

What is changing?

On March 1st, 2023, TLS 1.2 will become the minimum TLS protocol level required to connect to any Sketchfab service.

Support for TLS 1.0 and 1.1 protocols has become untenable from a security perspective; services that the Sketchfab platform relies on will also soon drop support for these protocols, and all modern web browsers dropped support for these protocols years ago.

What do I need to do?

If you have any connections using TLS 1.0 or 1.1, you should update your client software to use TLS 1.2 or later. Ideally, you should move directly to TLS 1.3.

Non-HTTPS endpoints

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) encrypted using Transport Layer Security (TLS).”

A handful of Sketchfab API endpoints and services allow connections via HTTP, but this is insecure.

What is changing?

On March 1st, 2023, connections to and other Sketchfab services using the http:// protocol will stop functioning.

What do I need to do?

These legacy connections are only allowed in obscure legacy applications (for example, Data API V0, above), and as a result, this change should affect very few users. If your application relies on any http:// connection, you should update it to use https:// connections.

Incorrect implementation of OAuth2 app authentication

OAuth (short for “Open Authorization”) is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords.”

Sketchfab implements OAuth2 to allow users to log in to their Sketchfab account in external applications, such as importers and exporters.

What is changing?

On March 1st, 2023, we will be updating the libraries we use to implement OAuth2 login. This update will improve security and performance, but prevent some implementations from functioning because they do not strictly follow the OAuth2 Authentication Framework.

More specifically, parameters required to fetch an access token must be included in the data payload of the POST request, rather than in the URL used to make the request.

What do I need to do?

If your application uses Sketchfab OAuth and includes parameters such as client_id directly in the access token request URL, you must update your application to place these parameters as key-value pairs in the POST data payload.

Here’s an example of the change using Python and the requests package.

Incorrect but currently working, putting all the parameters directly in the request URL:



Correct and required after the change, putting all parameters in the request body data:

        'grant_type': 'authorization_code',
        'code': 'AUTHORIZATION_CODE',
        'client_id': CLIENT_ID,
        'client_secret': CLIENT_SECRET,
        'redirect_uri': REDIRECT_URI



To reiterate, these changes should be completely unnoticeable to the huge majority of Sketchfab users, and even to most Sketchfab API developers. If you are affected by these changes, we apologize for the inconvenience and we understand that it may be difficult to upgrade legacy applications. However, we strongly believe that the security improvements and reduction of technical debt represented by these upgrades will lead to a better experience for the entire Sketchfab community.

If you have any questions or concerns, please feel free to contact us here.

About the author

James Green

Senior Product Specialist | Sketchfab

No Comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    "Post comment" will create a new comment that can be read by anyone who visits this website and has access to this topic. Do not include sensitive data like IDs, credentials, or non-public information.

    To remove a comment, contact the Sketchfab Community Team.

    Related articles