Implicit Grant Flow for Client-Side Apps

You should use this flow when you have web clients such as JavaScript applications.

Implicit Grant Flow for Client-side Apps

Step 1: Sign in and get credentials

First, get a Consumer Key and Consumer Secret by signing in at and creating a project. You will use these credentials for later calls in the OAuth 2.0 flow.

To create an app project, Yahoo needs information about your application including:

  • name
  • type
  • home page URL
  • scopes (permissions for specific services)
  • application domain

Step 2: Get an authorization URL and authorize access

Use the Consumer Key we provide as the client_id to request a redirect URL. Also include the redirect_url so that Yahoo knows where to redirect users after they authorize access to their data.


Method: GET, POST

Request Authorization URL (/request_auth) call request
Request Parameters Description
client_id Consumer Key provided to you when you signed up.
redirect_uri Yahoo redirects Users to this URL after they authorize access to their private data.
response_type Must constraint the string token.
state Optional. Your client can insert state information that will be appended to the redirect_uri upon success user authorization.
language Optional. Language identifier. Default value is en-us.

Sample URL


You need to reauthorize access from the user in the future when the access token expires or if the user revokes access through Yahoo account settings.

Step 3: User redirected for access authorization

A successful response to request_auth initiates a 302 redirect to Yahoo where the user can authorize access.

Step 4: Extract access token from redirect URL

Once the user authorizes access, the user is redirected back to the redirect_uri you originally specified. A authorization code is appended to the redirect_uri as a URL fragment (also known as a hash fragment), shown below as #access_token=bHLgV4q6--:

When sent as a URL fragment, the access token is only visible to client (browser) and not sent to a server.

You must implement client-side code that extracts the access token from the URL fragment from the browser.


This flow does not provide a refresh token, so you will need to repeat the steps above to get a new access token.