Get a confirmation code from the user
Some apps (such as console apps) can't get a confirmation code from a URL. In this case, the user should get the code from Yandex OAuth and enter it in the app.
-
For the user to confirm granting access to their data, configure your app to redirect them to the Yandex OAuth page. To do this, use a request for displaying the confirmation code.
Tip
If no browser is available on the device where the app is installed, the user will have to visit the needed address on their computer. To make entering the address easier, provide users with a QR code or a short link.
-
The confirmation code is displayed in the browser. To achieve that, specify the address
https://oauth.yandex.com/verification_codein the Redirect URI field when registering the app. -
To exchange the confirmation code for an OAuth token, the app has to send a POST request.
The obtained token can be saved in the app and used for API requests until its lifetime ends. Only your app should have access to the token, so avoid saving it in the browser or public configuration files.
Request a confirmation code
Request format
https://oauth.yandex.com/authorize?response_type=code
& client_id=<app ID>
[& device_id=<device ID>]
[& device_name=<device name>]
[& redirect_uri=<redirect URL>]
[& login_hint=<username or email address>]
[& scope=<requested required permissions>]
[& optional_scope=<requested optional permissions>]
[& force_confirm=yes]
[& state=<arbitrary string>]
[& code_challenge=<transformed version of code_verifier>]
[& code_challenge_method=<transformation method>]
Required parameters
|
Parameter |
Description |
|
|
The required response. Should be set to |
|
|
The app ID. It can be found in the app properties. To open them, go to Yandex OAuth and select the app name. |
Optional parameters
|
Parameter |
Description |
|
|
Unique ID of the device the token is requested for. To ensure uniqueness, just generate a UUID once and use it every time a new token is requested from this device. The ID must be from 6 to 50 characters long. Only printable ASCII characters are allowed (with codes from 32 to 126). Learn more about tokens for individual devices on the Revoke a token for a device page. If the Alert An app can have up to 30 tokens linked to a user's devices. If Yandex OAuth issues a new device token for the app, the oldest token stops working. |
|
|
The name of the device to show users. Up to 100 characters. For mobile devices, we recommend passing the device name specified by the user. If a name is missing, the name can be taken from the device model, OS name and version, and so on. If the |
|
|
A URL to redirect the user to after they grant access to the app. By default, the first Redirect URI specified in the app settings is used (Platforms → Web services → Redirect URI). Only the addresses listed in the app settings can be included in this parameter's value. The parameter is ignored when the URLs don't match exactly. |
|
|
A string that explicitly points to the account for which a token is requested. A Yandex account username, Yandex Mail address, or Yandex Mail for Domain address can be passed in the parameter value. This parameter helps the user to log in to the Yandex account that your app needs access to. When Yandex OAuth receives this parameter, it checks the user's login status:
When this parameter points to a nonexistent account, Yandex OAuth can only inform the user about it. The app will have to request a token again. |
|
|
A list of permissions that the app needs. Values in the list are space-separated. You should only request permissions from the list defined at the time of app registration. To see the allowed permissions, open the link https://oauth.yandex.com/client/<client_id>/info, replacing <client_id> with your app's ID. If the |
|
|
Optional permissions are requested in addition to those specified in the You should only request permissions from the list defined at the time of app registration. To see the allowed permissions, open the link https://oauth.yandex.com/client/<client_id>/info, replacing <client_id> with your app's ID. The user can choose which optional permissions to grant. The token is issued with the permissions set in the This parameter can be used, for example, when the app needs the user's email address to register them, while access to the avatar is good to have but not required. Note Permissions included both in |
|
|
The flag indicating whether permission to access the user's account should be requested every time (even when the user has already granted access for this app). After receiving this parameter, Yandex OAuth prompts the user to grant the app access and select a Yandex account. This parameter can come in handy when, for example, the user is logged in to your website with a specific Yandex account and wants to switch to a different one. If you don't use this parameter, the user will have to explicitly switch accounts in a Yandex service or revoke the token issued for the website. The parameter is processed if its value is |
|
|
The status bar that Yandex OAuth returns without changes. The maximum allowed string length is 1024 characters. Can be used, for example, to protect against CSRF attacks or identify the user the token is requested for. |
|
|
The |
|
|
The method of transforming the |
Response format
When the user grants access to their data, Yandex OAuth displays the confirmation code:
The code's lifetime is 10 minutes. When it expires, you need to request a new code.
Exchange the confirmation code for an OAuth token
Request format
POST /token HTTP/1.1
Host: https://oauth.yandex.com/
Content-type: application/x-www-form-urlencoded
Content-Length: <request body length>
[Authorization: Basic <Base64-encoded string `client_id:client_secret`>]
grant_type=authorization_code
& code=<confirmation code>
[& client_id=<app ID>]
[& client_secret=<secret key>]
[& device_id=<device ID>]
[& device_name=<device name>]
[& code_verifier=<verifier>]
Required parameters
|
Parameter |
Description |
|
|
The method used to request the OAuth token. If you use a confirmation code, set the value to |
|
|
Confirmation code from Yandex OAuth. The code's lifetime is 10 minutes. When it expires, you need to request a new code. |
Optional parameters
|
Parameter |
Description |
|
|
The app ID. It can be found in the app properties. To open them, go to Yandex OAuth and select the app name. The secret key and app ID can also be passed in the |
|
|
The secret key. It can be found in the app properties. To open them, go to Yandex OAuth and select the app name. The secret key and app ID can also be passed in the If the PKCE extension is used for data protection and the |
|
|
Unique ID of the device the token is requested for. To ensure uniqueness, just generate a UUID once and use it every time a new token is requested from this device. The ID must be from 6 to 50 characters long. Only printable ASCII characters are allowed (with codes from 32 to 126). Learn more about tokens for individual devices on the Revoke a token for a device page. If the Alert An app can have up to 30 tokens linked to a user's devices. If Yandex OAuth issues a new device token for the app, the oldest token stops working. |
|
|
The name of the device to show users. Up to 100 characters. For mobile devices, we recommend passing the device name specified by the user. If a name is missing, the name can be taken from the device model, OS name and version, and so on. If the |
|
|
The verifier ensuring that transmitted data is protected. This parameter is used when working with the PKCE protocol extension. It's an arbitrary string generated by the app. |
Request parameters must be passed in the request body and must be URL-encoded.
Note
To pass the app ID and secret key in the Authorization header, encode the string <client_id>:<client_secret> with Base64.
If Yandex OAuth receives the Authorization header, the client_id and client_secret parameters in the request body are ignored.
Response format
Yandex OAuth returns an OAuth token, a refresh token, and their lifetime in JSON format:
200 OK
Content-type: application/json
{
"token_type": "bearer",
"access_token": "AQAAAACy1C6ZAAAAfa6vDLuItEy8pg-iIpnDxIs",
"expires_in": 124234123534,
"refresh_token": "1:GN686QVt0mmakDd9:A4pYuW9LGk0_UnlrMIWklkAuJkUWbq27loFekJVmSYrdfzdePBy7:A-2dHOmBxiXgajnD-kYOwQ",
"scope": "login:info login:email login:avatar"
}
Response parameters:
|
Property |
Description |
|
|
Type of token issued. Always takes the |
|
|
An OAuth token with the requested rights or with the rights specified when registering the app. |
|
|
Token lifetime in seconds. |
|
|
A token that can be used to extend the lifetime of the corresponding OAuth token. The lifetime of the refresh token is the same as that of the OAuth token. |
|
|
Permissions requested by the developer or specified during app registration. The |
If a token couldn't be issued, the response contains an error description:
{
"error_description": "<error message>",
"error": "<error code>"
}
Possible error codes:
-
authorization_pending— User hasn't entered the confirmation code yet. -
bad_verification_code— The passedcodevalue isn't a 7-digit number. -
invalid_client: The app with the specified ID (theclient_idparameter) wasn't found or is blocked. This code is also returned if theclient_secretparameter passed an invalid app password. -
invalid_grant— Invalid or expired confirmation code. -
invalid_request: Invalid request format (one of the parameters isn't specified, specified twice, or isn't passed in the request body). -
invalid_scope— App permissions changed after the confirmation code was generated. -
unauthorized_client: The app was rejected during moderation or is awaiting moderation. Also returned if the app is blocked. -
unsupported_grant_type: Invalidgrant_typeparameter value. -
Basic auth required: The authorization type specified in theAuthorizationheader is notBasic
. -
Malformed Authorization header: TheAuthorizationheader isn't in<client_id>:<client_secret>format, or this string isn't Base64-encoded.