Browser-Based Authentication

You build great web applications. We have millions of users who store their data on Yahoo!. Browser-Based Authentication (BBAuth) makes it possible for your applications to use that data (with their permission).

BBAuth also offers a Single Sign-On (SSO) facility so that existing Yahoo! users can use your services without having to complete yet another registration process.

How It Works

The first time a user visits your web site, you redirect them to a specially constructed Yahoo! URL where they can login and grant your application permission.

The image below illustrates the process.

BBAuth Flow

How Do I Get Started?

To use BBAuth, you'll need to do the following:

  1. Register your application

    First you need to register your application with Yahoo!. The process requires that you describe what your application does, provide contact information, set your application's endpoint URL, and select the Yahoo! services to which your application needs access. Some services may divide their API calls into subsets, or scopes. For example, a service might group its read-only methods into a single scope.

    When you complete registration, Yahoo! provides you with an application ID and shared secret for making authenticated service calls.

  2. Log in your users

    Your application cannot access a user's personal data until the user grants your application limited access to their data. To do this you must direct your users to a specialized Yahoo! login page. Once the user enters their Yahoo! user ID and password, Yahoo! displays a Terms of Service page and lists the data which your application may access. If the user grants your application access, Yahoo! redirects the user to your site. The redirect URL contains a token that you use to retrieve the user's credentials.

  3. Use the user's credentials to make web service calls

    Now that you have the user's token, you can use it to retrieve an auth cookie and a WSSID, which together represent the user's credentials. The user's credentials last for one hour, and you must supply them for each authenticated web service call.

Using Browser-Based Authentication

Where to Go From Here

Registering Your Application explains how to acquire an application ID and shared secret for your application.

Terms of Use

Licensing terms for Browser-Based Authentication are defined by the general Yahoo! API Terms of Use. All of the code samples listed in this section are provided free of charge under a BSD license.

Support & Community

Browser-Based Authentication and related topics are discussed on the ydn-auth mailing list. If you have questions or need technical support, please use this group.

If you need your application key deactivated (for example, if you feel it has been compromised), then see the Yahoo! Developer Help page for information on how to contact Yahoo! Customer Care.