Exchange the Request Token and OAuth Verifier for an Access Token (get_token)


Supported Methods:


After your Users authorize your application access to their information, your application needs to exchange the approved Request Token for an Access Token, which tells Yahoo that your application has been given authorization to access User data. (OAuth Core 1.0 Spec, Section 6.3)

The following is an example of a URI request for an Access Token:

Table 4.5. Get Access Token (get_token) Request Parameters

Request Parameter Description
oauth_consumer_key Consumer Key provided to you when you signed up.
oauth_signature_method The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1.
oauth_nonce A random string (OAuth Core 1.0 Spec, Section 8)
oauth_signature The concatenated Consumer Secret and Token Secret separated by an "&" character. If you are using the PLAINTEXT signature method, add %26 at the end of the Consumer Secret. If using HMAC-SHA1, refer to OAuth Core 1.0 Spec, Section 9.2. For more information about signing requests, refer to Signing Requests to Yahoo.
oauth_timestamp Current timestamp of the request. This value must be +-600 seconds of the current time.
oauth_verifier The OAuth Verifier is a verification code tied to the Request Token.
oauth_version OAuth version (1.0).
oauth_token The Request Token, which is required during the User authorization process and is short enough for the end User to easily enter. The Request Token is provided in the response to the get_request_token request.

Yahoo will return a response similar to the following:

Table 4.6. Get Access Token (get_token) Response Parameters

Response Parameter Description
oauth_token The Access Token provides access to protected resources accessible through Yahoo Web services.
oauth_token_secret The secret associated with the Access Token provided in hexstring format.
oauth_session_handle The persistent credential used by Yahoo to identify the Consumer after a User has authorized access to private data. Include this credential in your request to refresh the Access Token once it expires.
oauth_expires_in Lifetime of the Access Token in seconds (3600, or 1 hour).
oauth_authorization_expires_in Lifetime of the oauth_session_handle in seconds.
xoauth_yahoo_guid The introspective GUID of the currently logged in User. For more information of the GUID, see the Yahoo Social API Reference.

Once you have an Access Token, you can use it towards requests to Yahoo Web services. For more information on using the Access Token in Yahoo API requests, refer to Use OAuth in Yahoo API Requests.


If you used the pop-up window method for presenting the Yahoo authorization page, ensure that you close this window once you receive the Access Token from Yahoo.

Table of Contents