OAuth authorization in YooMoney
If you want a user to work with YooMoney payments in your app, you need to get permission for carrying out transactions on their behalf: OAuth token. Implement authorization by the OAuth 2.0 protocol.
Procedure for OAuth authorization in YooMoney:
  1. Redirect the user to YooMoney’s OAuth server and get an authorization code.
  2. Exchange the authorization code to an OAuth token.
  3. Use this token to interact with the YooMoney API.
YooMoney's OAuth authorization
Only YooMoney users with the Owner role can grant rights.
Below, we’ll describe the process of authorization via OAuth for interacting with the YooMoney API.
 
Preparation
Before starting the process, you need to register your app in the YooMoney's OAuth server.
Register your app with YooMoney's OAuth server. You will need to sign in to your YooMoney account.
Select the set of rights for interacting with YooMoney in the Permissions section during the registration. You can request the following rights:
  • payment creation;
  • payment capture;
  • payment cancellation;
  • refund creation;
  • getting information about commissions.
These rights are enough for proper payment acceptance via YooMoney.
To implement OAuth authorization, you will need the app’s ID, and password. This information is available in the app’s properties (click on the app’s title to view its properties).
 
Step 1. Get an authorization code
To get an authorization code for the OAuth token, redirect the user to YooMoney’s OAuth server.
Format of the URL for redirecting the user
https://yookassa.ru/oauth/v2/authorize?client_id=<App ID>&response_type=<Required response>&state=<value of the state parameter in request>
Description of parameters
ParameterDescription
response_typeRequired response. Specify the 
code
(authorization code) value.
Required parameter.
client_idYour app’s ID.
Required parameter.
stateThe state string, which YooMonwy returns without making any changes. You can use it to identify the user you’re requesting the token from. Maximum allowed line length is 1024 characters.
Optional parameter.
After the user grants the rights to your app, YooMoney’s OAuth server will redirect them to the Сallback URL you specified during app registration.
Example of the URL the user will be redirected to in case of success
http://www.example.com/app?code=rvunUlge6gUMx6TT0UT6ys4y398qqG73KQb1PjXETuX6eiQYJXXi-IrNHe49a9mt&state=324234
Description of parameters
ParameterDescription
codeThe authorization code that can be exchanged for an OAuth token.
Required parameter.
stateThe state string, which YooMoney returns without making any changes.
Optional parameter.
If the user refused to grant the rights, they will be returned to Callback URL with the 
access_denied
error, and
state
.
Example of the URL the user will be redirected to in case of an error
http://www.example.com/token?error=access_denied&state=324234
 
Step 2. Exchange the authorization code for an OAuth token
The code is valid for 5 minutes. You must exchange it to an OAuth token within this period, otherwise you will have to request it again.
To exchange the authorization code to an OAuth token, send a POST request to the YooMoney’s OAuth server and specify the authorization code, your ID, and the password.
Example of request
cURL
curl https://yookassa.ru/oauth/v2/token \
  -u <App ID>:<App password> \
  -d grant_type=authorization_code \
  -d code=<Authorization code>
In response, the OAuth server will return the OAuth token in the 
access_token
field.
Example of response body with the OAuth token
JSON
{
  "access_token": "AAEAAAAA8cSwPQAAAXUcZAXZ9hmYP3bKvY2r3ALwPYRYhrnOiKDEou9aLKiLYArHj2Tke-syRshb-1TQ1Ns_nQbc",   
  "expires_in": 94607999
}
Save an OAuth token for further interaction with the YooMoney API.
YooMoney’s OAuth token allows performing transactions on behalf of the user. The token must only be accessible to your app, so don’t publish it in open sources and don’t save it in the browser’s cookies.
If the OAuth token couldn’t be provided, the response will contain the error description.
The YooMoney’s OAuth tokens lifespan is 5 years. If an OAuth token has expired, YooMoney will return an error.
 
Step 3. Use the OAuth token to interact with the YooMoney API
Use the received OAuth token for every request to the YooMoney API. Specify the OAuth token in the authorization header.
The only requests you can send to the YooMoney API are the ones you requested the rights for during app registration.
Example of request to the YooMoney API with an OAuth token
cURL
PHP
Python
curl https://api.yookassa.ru/v3/me \
  -H 'Authorization: Bearer <OAuth token>' \
Example of the response body
JSON
{
  "account_id": "123",
  "test": false,
  "fiscalization_enabled": true,
  "payment_methods": [
    "bank_card",
    "yoo_money"
  ],
  "status": "enabled"
}

Do you have any questions or comments regarding the documentation?

We can set up a call and discuss them: we'll help you solve the problem and you'll help us understand what we need to improve. To do that, share your contact information and select the time.
Yes, I'd like to set up a meeting
 
See also
Quick startNotifications