OAuth authorization in YooMoney
If you want a user to work with YooMoney payments in your app, you need to get permission for carrying out transactions on their behalf: OAuth token. Implement authorization by the OAuth 2.0 protocol.
The rights for working via the API
To interact with the YooMoney API on behalf of the user, you need to get their permission to run certain transactions. You can request the following rights:
- payment creation;
- payment capture;
- getting information about payments;
- payment cancellation;
- saving and using payment methods for recurring payments;
- refund creation;
- getting information about refunds;
- getting information about commissions.
Select a set of rights required for your app to fully operate.
If you'd like to save and use payment methods for recurring payments, check out the manual for enabling recurring payments for partners
Process overview
Process for OAuth authorization in YooMoney:
- Redirect the user to YooMoney’s OAuth server and get an authorization code.
- Exchange the authorization code to an OAuth token.
- Use this token to interact with the YooMoney API.
YooMoney's OAuth authorization
Verification code
When a user allows you to act on their behalf, the OAuth server will create a verification code and send it either in the Callback URL or via the user who manually enters the code in your app.
Callback URL: You specify the Callback URL in advance: it's the address of a page on your side where the user will return after the permission is granted. When the user grants the rights, the OAuth server will add the verification code to the Callback URL and redirect the user to the received URL. You'll need to extract the code from the URL. This method is suitable for those apps which can process the Callback URL.
Code entered by the user: When the user grants the rights, the OAuth server displays the verification code on the page. You need to provide an opportunity for the user to enter the code in your app. This method is suitable for those apps which can't process the Callback URL (for example, Smart TV).
The received verification code must be exchanged for an OAuth token within five minutes.
OAuth token
The validity period of a YooMoney OAuth token is 5 years. After that, you need to request the rights again and receive a new token.
If your OAuth token has expired, YooMoney will return an error when you'll be processing a transaction (payment or refund) via the YooMoney API.
A YooMoney OAuth token allows making financial transactions on behalf of the user. Only your app must have access to the token, so don't disclose it publicly or save it in your browser cookie files.
Integration
You need to register your app on YooMoney's OAuth server and then set up the interaction with OAuth tokens.
Step 1. Register your app on the OAuth server
In order to register the app:
- Go to the OAuth in YooMoney page. Sign in to an existing YooMoney account or create a new one.
- Click Register on the page for apps for OAuth.
- When registering the app, enter its name, short description which the user will see, and a link to app's website.
- Select how you'd like to receive the verification code:
- If you'd like to extract the token from the Callback URL, select Specify in Callback URL and enter the address where users should be redirected after permission is granted.
- If you'd like users to enter the code manually, select Display on the page.
- In the Access rights section (in the YooMoney API block), select the rights required for complete interaction with your app. You don't need to select rights from other blocks: they're not required for the interaction with the API.
- Click Register.
Done!
To start working with OAuth tokens, you'll need an identifier (Client ID) and password (Client Secret) which you'll receive after you register your app. They'll also be available in app's properties (click on app's name to open its properties).
Step 2. Set up the interaction with tokens
Use the demo store for testing and configuration.
Done!
See also