OAuth Authorization Model

OAuth is a simple, secure, and quick way to publish and access protected data (photos, videos, contact list). It's an open authorization model based primarily on existing standards that ensures secure credentials can be provisioned and verified by different software platforms.

In other words, OAuth allows you to share your private resources stored on one site with another site without having to hand out your user name and password.

For a visitor to your site, OAuth is completely transparent. The user experience will be specific to the implementation of both the site requesting access and the one storing the resources, and will adjust to the device being used (web browser, mobile phone, PDA, set-top box).

Example user flow:

A developer has created an application which will allow his users to represent their presence using the Yahoo! Status web service. Once the developer signs up for an OAuth API Key and Secret (provided by Yahoo!), they may access Yahoo's OAuth API to establish the credentials used to access this data from Yahoo! Status. When a user interacts with the developer's application, they are redirected to Yahoo's authorization page, where they sign into their Yahoo! account, then grant the application access to their Yahoo! Status data. A user-authorized token is returned to the application which can be used to access this data.

Information on the April 2009 OAuth Security Issue and Update

• Read more on the YDN Blog
• Read the OAuth Security Issue FAQ

How Do I Get Started?

1. Get an API Key
2. Read the online documentation
3. Get one of our Social API SDKs (optional)

Using the API or Web Service

Overview

For an illustration of the OAuth authorization flow, check out the Yahoo! OAuth Quick Start Guide.

In order to communicate with their target user's Yahoo services through OAuth, developers must first authorize requests using Yahoo! OAuth.

Here are the steps you take to enable users to access your application:

1. Sign Up and Get your API Key
2. Get a Request Token
3. Get User Approval
4. Exchange the Request Token for an Access Token

Support and Community

Questions and suggestions on the OAuth API are discussed on the Yahoo! OAuth Developer Community forum. If you have questions or need technical support, please use this forum.

Terms of Use

Use of the Yahoo! OAuth API is governed by the Yahoo! APIs Terms of Use.

The OAuth Standard

Yahoo!'s OAuth implementation is fully compliant with OAuth Core 1.0 and the OAuth Session Extension draft (1). In order to support OAuth in a scalable way, Yahoo! proposed and helped create the OAuth Session Extension together with AOL and Google. The extension is currently being added to all the major OAuth client libraries as well as the Y!OS SDK. For more information on the standard, visit: http://oauth.net/.