Private Data v. Public Data

Public Data

When creating applications that only use public data, you do not need authorization from the end User. These types of applications are called two-legged in OAuth terminology because the authorization occurs between two parties: an application (the Consumer) and the public data source (the Service Provider). The public data source can be a Web service or Web feeds such as RSS or Atom feeds. Most Web services offering public data require two-legged authorization, whereby an application and the Web service exchange keys before public data can be transferred. Public data from RSS or Atom feeds, however, do not require any authorization.


While this guide discusses the three-legged method for OAuth authorization, you may instead use the two-legged method with some API requests because you aren't requesting access to private data.

The key difference in two-legged OAuth is that you don't need a Request Token or an Access Token, and so you skip Steps 2-5 in the OAuth Authorization Flow.

An example of a two-legged application would be one that gets public data using the Yahoo Query Language (YQL). The application exchanges a Consumer Key and Consumer Secret with YQL, but no end User authorization is required.

Private Data

To access private data, your application is required to get the end User's authorization. An application that requires User authorization is called three-legged in OAuth terminology because the authorization occurs between three parties: the end user (User), the application (the Consumer), and the private data source (the Service Provider). The private data source for applications using the PHP SDK are the Social Directory APIs. In a three-legged authorized application using the Social Directory APIs, end Users choose whether to give your application access to their Yahoo Social data.

The table below provides some general rules for the type of authorization needed for different types of data available on the Web. Some Web services or feeds may not follow these guidelines.

Table 1.1. General Guide to Authorization for Different Web data

Type of Data Data Source Privacy Level Type of Authorization Needed Examples
News and Blog feeds (RSS, Atom, etc.) Web feeds Public None NY Times Small Business RSS Feed (, Rob Weir's Blog Atom Feed (
YQL Public Data Web services Public two-legged authorization weather forecast search using YQL
Private User Data Web services Private three-legged authorization private User data from the Yahoo Social APIs, such as Updates and Social Directory

Table of Contents