@abooth We’ve stopped supporting the impersonation feature for the foreseeable future due to a number of security concerns. Impersonation leaves your application vulnerable to CSRF attacks, since the flag allows the bypassing of the CSRF check from the state parameter if this parameter is missing from the authorization response. I will need to investigate if there is an alternative at this time.