Fix: Add warning about removing custom OAuth2 grant types [4.1.0]

en/docs/reference/customize-product/extending-api-manager/extending-key-management/writing-custom-grant-types.md

@@ -10,4 +10,18 @@ To implement custom grant types for the API Manager, see [Writing a Custom OAuth
 | `password`| `org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler`|
 | `refresh_token`| `org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler`|
 | `client_credentials`| `org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler` |
-| `urn:ietf:params:oauth:grant-type:saml2-bearer` | `org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler`|
+| `urn:ietf:params:oauth:grant-type:saml2-bearer` | `org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler`|
+
+## Important considerations when removing custom grant types
+
+!!! warning "Clean up OAuth applications before removing custom grant types"
+
+    When you remove a custom grant type from `deployment.toml`, any existing OAuth applications that used that grant type will still keep it in their client settings. This can cause issues when you perform operations on these applications later, such as changing the application owner.
+
+    **Before removing a custom grant type from `deployment.toml`:**
+
+    1. Find all applications that use the custom grant type.
+    2. Update those applications to remove or replace the grant type. Use the Key Manager or client registration update APIs for this purpose.
+    3. Only after completing these steps, remove the grant type from `deployment.toml`.
+
+    If you skip this cleanup step, operations such as application updates or ownership changes can fail with errors like "grant type is not allowed" and can cause inconsistencies between the Service Provider and Application tables.