Access token scope

When invoking a protocol operation, you must pass an access token that has the necessary permissions. The list of permissions is requested as the scope parameter value of call authorize OAuth2-application authorization by the user; permissions are separated by a space.

Possible permissions

Permission	Description
account-info	To get information about the account status (see the account-info method).
operation-history	To view the history of account operations (see the operation-history method).
operation-details	To view the history of account operations (see the operation-history method).
payment	To make payments to a particular merchant or transfer funds to a particular User account, see the request-payment and process-payment methods.
payment-shop	To make payments to any merchant accessible via the API (see the request-payment and process-payment methods).
payment-p2p	To transfer funds to any accounts, or email addresses of other users, see the request-payment and process-payment methods.
money-source	Available payment methods (see the request-payment and process-payment methods). For more information, see The money-source permission.

The following cannot be used simultaneously in scope:

payment-p2p permission and payment.to-account permission
payment-shop permission and payment.to-pattern permission

Some permissions require setting string values that may contain symbols that violate the scope syntax. For such symbols, use backslash escaping according to JSON format. For example:

\" \\

Restrictions that apply to permissions

Restrictions (limits) may be applied to the permissions granted. Limits are specified like this:

permission_name.destination.limit

Restrictions that can be applied to permissions:

destination — payment recipient;
limit — payment limit.

Destination condition (the payment recipient)

Applies to the permission: payment.

Only one of the following conditions can be specified as a value:

to-pattern (patternId) — restricts sending payments only using the specified patternId.
to-account (to) — restricts transfers of funds only to the account of a specific user. For the recipient ID (to), you can use an account number, mobile phone number that is linked with the user’s account, or the user’s email address.

Example for specifying the transfer recipient using an account number

.to-account("41001XXXXXXXX")

Instead of using the account number as the recipient’s ID, you can use the mobile phone number associated with the account (if the recipient has one). The specified phone number must be in the format of the ITU-T E.164 Numbering plan of the international telephone service.

For Russia, this is the full number starting from 7, without the '+' symbol. For example: 79219990099

Example for specifying the transfer recipient using a linked mobile phone number

.to-account("79219990099")

Acceptable ways of formatting email addresses are described in Wikipedia. Keep in mind that email addresses may contain symbols that violate the scope syntax, such as double quotes.

For such symbols, use backslash escaping according to JSON format. For example:

\" \\

Example of specifying the transfer recipient using email

.to-account("username@example.ru")

Limit condition (payment limit)

limit(duration,sum)

Applies to these permissions: payment, payment-shop, payment-p2p.

The limit is specified last.

Format:

limit(duration,sum) — limit to the total amount of payments over a period of time;
limit(,sum) — delegation of rights to make a one-time payment for a fixed amount.

Parameters

Parameter	Value
duration	Period of time, in days. If omitted, payment can only be made once using the given permission.
sum	Total amount for all payments over the period in `duration`, in the currency used for the account.

Condition limit you can use it for delegating one-time payments. The expiration of the permission is the same as for the token. The user cannot change the payment amount.

Restrictions:

Within one scope you can specify either only payments per period, or only one-time payments.
If scope contains a requirement for one-time payment, then with the payment right, you can only specify money-source and account-info, all other rights are forbidden.
Regardless of the value of the requested limits, payments can also be subject to restrictions set by YooMoney for various types of transactions.

Example: payments restricted to 100 rubles and 50 kopecks per day, and the user can change the amount

.limit(1,100.50)

Example: one-time payment of 1000 rubles and the user cannot change the amount.

.limit(,1000)

By default: limit(1,3000) — 3000 rubles per day, and the user can change the amount.

The money-source permission

Informs YooMoney which payment methods are supported by the application.

Format

money-source(list_of_payment_methods)

The requested method for making a payment:

wallet — payments from the YooMoney wallet;
card — from the user’s bank card linked to the wallet.

Default: wallet.

Bank cards cannot be used for transferring funds to other users' accounts.

Example of payment using both a linked bank card and a wallet

money-source("wallet","card")

Example of payment using only a linked bank card

money-source("card")

Example of payment only from a wallet

money-source("wallet")

Examples of values for the scope parameter

Permitted to view payment history

account-info operation-history operation-details

Permitted to view the account balance and make payments to merchant 123 for up to 1,000 rubles per week

account-info payment.to-pattern("123").limit(7,1000)

Permitted to make transfers to account XXXX, but no more than 500 rubles over a two-week period

payment.to-account("XXXX").limit(14,500)

Permitted to make a one-time transfer to the account linked to phone number ZZZ, in the amount of 500 rubles

payment.to-account("ZZZ","phone").limit(,500)

Permitted to make payments from the linked bank card to merchant 123 up to a total of 1000 rubles per week

payment.to-pattern("123").limit(7,1000) money-source("wallet","card")