Using OAuth for Messenger API

Please note the following recommendations when using OAuth authentication with Yahoo Messenger.

  1. For Messenger clients, a correct timestamp may not be available in certain platforms especially mobile. In those cases, we recommend using the PLAINTEXT method of signature calculation so that value of timestamp parameter is ignored.
  2. OAuth credentials should be passed either via query parameters or via an HTTP Authorization header. Credentials in the POST body are not supported.

The OAuth credentials that must be passed into a Yahoo Messenger IM API request are as follows:


This is a constant string "".


This is the API key (OAuth Consumer Key) that was generated by


This is a cryptographic nonce, a random number of your choosing. Once used, the number should not be used again.


The signature method used to cryptographically sign API requests, such as "PLAINTEXT" or "HMAC-SHA1".


This is an integer timestamp, represented as the number of seconds since the epoch. Note that if your system presents its timestamps as milliseconds since epoch, you should divide that number by 1000.


This is the token that was returned by the previous PART exchange API call.


This is the constant string "1.0".


The Consumer Secret that was issued to the application. If you are using the PLAINTEXT signature method, concatenate %26 at the end of the Consumer Secret, and then concatenate oauth_token_secret from the previous call. For more information about signing requests, refer to Signing Requests at Yahoo!

Table of Contents