App authorization process
In order to access a user’s YooMoney account, your application must complete the authorization process.
The OAuth2 protocol makes authorization secure and convenient. With OAuth2 authorization, applications don’t need to ask users for their login and password. Instead, a user grants permission for an application to access his account within the restrictions allowed by the user.
Application authorization in YooMoney conforms to the following specifications:
  • The OAuth 2.0 Authorization Framework
  • The OAuth 2.0 Authorization Framework: Bearer Token Usage
Diagram illustrating how an application and a user interact with the YooMoney OAuth server:
Interaction with the YooMoney server
Developer steps
Step 1. The developer registers the application in YooMoney. According to the OAuth2 protocol, this is the Registration Request stage. The YooMoney service issues the developer a client_id, which is a string type application ID.
Step 2. The developer embeds this client_id in the application code, declaring it a constant. Then the application can be distributed using any convenient method. The client_id remains constant during the entire application lifecycle.
How a user authorizes an application
  1. The user initializes authorization of the application for managing his account.
  2. The application sends the Authorization Request to the YooMoney server.
  3. YooMoney redirects the user to the authentication page.
  4. The user enters his login and password, reviews the list of requested permissions, and either approves or rejects the authorization request.
  5. The application receives an Authorization Response in the form of an HTTP Redirect with either a temporary authorization code or an error code.
  6. The application sends a request for an access token (Access Token Request), using the temporary authorization code in the request.
  7. The response contains the permanent access_token.
  8. The application informs the user of the authorization results.
Verifying the application’s authenticity using a secret word
The YooMoney service provides an additional way to verify that the access token is coming from your application.
To do this, when obtaining the access token (the /oauth/token call), the application passes a secret word (client_secret) that is only known to the application.
Security requirements
  1. All network interactions are transmitted only via HTTPS.
  2. The TLS version is 1.2 or later.
  3. In order to prevent compromise of authorization data, the application must verify the validity of the server SSL certificate and abort the session immediately if validation fails.
  4. Do not store the access token in unencrypted format, for example, as cookies.
  5. Never use the access token in request parameters (GET, POST etc).
  6. The secret word should never be transmitted through the user’s device or browser.
  7. The secret word should not be used in any requests other than the request to get a token.