Access token scope
When invoking a protocol operation, you must pass an access token that has the necessary permissions. The list of permissions is requested as the
scope parameter value of call authorize OAuth2-application authorization by the user; permissions are separated by a space.Possible permissions
| Permission | Description |
|---|---|
| account-info | To get information about the account status (see the account-info method). |
| operation-history | To view the history of account operations (see the operation-history method). |
| operation-details | To view the history of account operations (see the operation-history method). |
| payment | To make payments to a particular merchant or transfer funds to a particular User account, see the request-payment and process-payment methods. |
| payment-shop | To make payments to any merchant accessible via the API (see the request-payment and process-payment methods). |
| payment-p2p | To transfer funds to any accounts, or email addresses of other users, see the request-payment and process-payment methods. |
| money-source | Available payment methods (see the request-payment and process-payment methods). For more information, see The money-source permission. |
The following cannot be used simultaneously in
scope:payment-p2ppermission andpayment.to-accountpermissionpayment-shoppermission andpayment.to-patternpermission
Some permissions require setting string values that may contain symbols that violate the
scope syntax. For such symbols, use backslash escaping according to JSON format. For example:\" \\
Restrictions that apply to permissions
Restrictions (limits) may be applied to the permissions granted. Limits are specified like this:
permission_name.destination.limit
Restrictions that can be applied to permissions:
- destination — payment recipient;
- limit — payment limit.
Destination condition (the payment recipient)
Applies to the permission:
payment.Only one of the following conditions can be specified as a value:
to-pattern (patternId)— restricts sending payments only using the specifiedpatternId.to-account (to)— restricts transfers of funds only to the account of a specific user. For the recipient ID (to), you can use an account number, mobile phone number that is linked with the user’s account, or the user’s email address.
Example for specifying the transfer recipient using an account number
.to-account("41001XXXXXXXX")
Instead of using the account number as the recipient’s ID, you can use the mobile phone number associated with the account (if the recipient has one). The specified phone number must be in the format of the ITU-T E.164 Numbering plan of the international telephone service.
For Russia, this is the full number starting from
7, without the '+' symbol. For example: 79219990099Example for specifying the transfer recipient using a linked mobile phone number
.to-account("79219990099")
Acceptable ways of formatting email addresses are described in Wikipedia. Keep in mind that email addresses may contain symbols that violate the
scope syntax, such as double quotes.For such symbols, use backslash escaping according to JSON format. For example:
\" \\
Example of specifying the transfer recipient using email
.to-account("username@example.ru")
Limit condition (payment limit)
limit(duration,sum)
Applies to these permissions:
payment, payment-shop, payment-p2p.The limit is specified last.
Format:
limit(duration,sum)— limit to the total amount of payments over a period of time;limit(,sum)— delegation of rights to make a one-time payment for a fixed amount.
Parameters
| Parameter | Value |
|---|---|
| duration | Period of time, in days. If omitted, payment can only be made once using the given permission. |
| sum | Total amount for all payments over the period in duration, in the currency used for the account. |
Condition
limit you can use it for delegating one-time payments. The expiration of the permission is the same as for the token. The user cannot change the payment amount.Restrictions:
- Within one
scopeyou can specify either only payments per period, or only one-time payments. - If
scopecontains a requirement for one-time payment, then with thepaymentright, you can only specifymoney-sourceandaccount-info, all other rights are forbidden. - Regardless of the value of the requested limits, payments can also be subject to restrictions set by YooMoney for various types of transactions.
Example: payments restricted to 100 rubles and 50 kopecks per day, and the user can change the amount
.limit(1,100.50)
Example: one-time payment of 1000 rubles and the user cannot change the amount.
.limit(,1000)
By default:
limit(1,3000) — 3000 rubles per day, and the user can change the amount.The money-source permission
Informs YooMoney which payment methods are supported by the application.
Format
money-source(list_of_payment_methods)
The requested method for making a payment:
wallet— payments from the YooMoney wallet;card— from the user’s bank card linked to the wallet.
Default:
wallet.Bank cards cannot be used for transferring funds to other users' accounts.
Example of payment using both a linked bank card and a wallet
money-source("wallet","card")
Example of payment using only a linked bank card
money-source("card")
Example of payment only from a wallet
money-source("wallet")
Examples of values for the scope parameter
Permitted to view payment history
account-info operation-history operation-details
Permitted to view the account balance and make payments to merchant 123 for up to 1,000 rubles per week
account-info payment.to-pattern("123").limit(7,1000)
Permitted to make transfers to account XXXX, but no more than 500 rubles over a two-week period
payment.to-account("XXXX").limit(14,500)
Permitted to make a one-time transfer to the account linked to phone number ZZZ, in the amount of 500 rubles
payment.to-account("ZZZ","phone").limit(,500)
Permitted to make payments from the linked bank card to merchant 123 up to a total of 1000 rubles per week
payment.to-pattern("123").limit(7,1000) money-source("wallet","card")