Yahoo OAuth 2.0 Guide

OAuth 2.0 is an updated version of the OAuth protocol that supercedes OAuth 1.0 and 1.0a. OAuth is an open standard for authorization that Yahoo uses to grant access to user data.


OAuth 2.0 is currently supported by Oath Ad Platforms and UserInfo APIs.


OAuth 2.0 has some key distinctions from OAuth 1.0:
  • SSL for secure communication.

  • Signatures are no longer necessary.

  • Support for a variety of grant types and flows.

Supported Client Profiles

Yahoo supports two primary client profiles:
  • Server-side Application: This consists of an application (client) hosted on a web server. Users access the application using an HTML based user agent. Client credentials and tokens issued are stored on the web server and are inaccessible to the user.

  • Client-side Application: In this profile, the client code is downloaded from a web server and runs within a user-agent on the user’s device. Credentials and tokens are accessible to the end user.

Supported Authorization Flows

As per the OAuth 2.0 specification, authorization to access user (resource owner) data can be obtained using four grant types. Yahoo currently supports one of the four grant types:
  • Authorization Code Grant: This grant type is used to obtain access tokens which can be used to authorize access to Yahoo APIs.

Migrating to OAuth 2.0 from OAuth 1.0a

If you have integrated with Yahoo using OAuth 1.0a, you do not need to re-authorize access to your app. Using the Explicit Grant flow, you can provide your original refresh token to receive a new OAuth 2.0 access token. For more information, refer to Step 5: Exchange refresh token for new access token.

Before You Begin

As with OAuth 1.0 you must first sign up and get both a Consumer Key and Consumer Secret.