Access token scope
When invoking a protocol operation, you must pass an access token that has the necessary permissions. The list of permissions is requested as the scope parameter value of call authorize OAuth2-application authorization by the user; permissions are separated by a space.
Possible permissions
account-infoTo get information about the account status (see the account-info method).
operation-historyTo view the history of account operations (see the operation-history method).
operation-detailsTo view the history of account operations (see the operation-history method).
paymentTo make payments to a particular merchant or transfer funds to a particular User account, see the request-payment and process-payment methods.
payment-shopTo make payments to any merchant accessible via the API (see the request-payment and process-payment methods).
payment-p2pTo transfer funds to any accounts, or email addresses of other users, see the request-payment and process-payment methods.
money-sourceAvailable payment methods (see the request-payment and process-payment methods). For more information, see The money-source permission.
Some permissions require setting string values that may contain symbols that violate the scope syntax. For such symbols, use backslash escaping according to JSON format. For example:
\" \\
Restrictions that apply to permissions
Restrictions (limits) may be applied to the permissions granted. Limits are specified like this:
Restrictions that can be applied to permissions:
Destination condition (the payment recipient)
Applies to the permission: payment.
Only one of the following conditions can be specified as a value:
  • to-pattern (patternId) — restricts sending payments only using the specified patternId.
  • to-account (to) — restricts transfers of funds only to the account of a specific user. For the recipient ID (to), you can use an account number, mobile phone number that is linked with the user’s account, or the user’s email address.
Example for specifying the transfer recipient using an account number
Instead of using the account number as the recipient’s ID, you can use the mobile phone number associated with the account (if the recipient has one). The specified phone number must be in the format of the ITU-T E.164 Numbering plan of the international telephone service.
For Russia, this is the full number starting from 7, without the '+' symbol. For example: 79219990099
Example for specifying the transfer recipient using a linked mobile phone number
Acceptable ways of formatting email addresses are described in Wikipedia. Keep in mind that email addresses may contain symbols that violate the scope syntax, such as double quotes.
For such symbols, use backslash escaping according to JSON format. For example:
\" \\
Example of specifying the transfer recipient using email
Limit condition (payment limit)
Applies to these permissions: payment, payment-shop, payment-p2p.
The limit is specified last.
  • limit(duration,sum) — limit to the total amount of payments over a period of time;
  • limit(,sum) — delegation of rights to make a one-time payment for a fixed amount.
durationPeriod of time, in days. If omitted, payment can only be made once using the given permission.
sumTotal amount for all payments over the period in duration, in the currency used for the account.
Condition limit you can use it for delegating one-time payments. The expiration of the permission is the same as for the token. The user cannot change the payment amount.
  • Within one scope you can specify either only payments per period, or only one-time payments.
  • If scope contains a requirement for one-time payment, then with the payment right, you can only specify money-source and account-info, all other rights are forbidden.
  • Regardless of the value of the requested limits, payments can also be subject to restrictions set by YooMoney for various types of transactions.
Example: payments restricted to 100 rubles and 50 kopecks per day, and the user can change the amount
Example: one-time payment of 1000 rubles and the user cannot change the amount.
By default: limit(1,3000) — 3000 rubles per day, and the user can change the amount.
The money-source permission
Informs YooMoney which payment methods are supported by the application.
The requested method for making a payment:
  • wallet — payments from the YooMoney wallet;
  • card — from the user’s bank card linked to the wallet.
Default: wallet.
Example of payment using both a linked bank card and a wallet
Example of payment using only a linked bank card
Example of payment only from a wallet
Examples of values for the scope parameter
Permitted to view payment history
account-info operation-history operation-details
Permitted to view the account balance and make payments to merchant 123 for up to 1,000 rubles per week
Permitted to make transfers to account XXXX, but no more than 500 rubles over a two-week period"XXXX").limit(14,500)
Permitted to make a one-time transfer to the account linked to phone number ZZZ, in the amount of 500 rubles"ZZZ","phone").limit(,500)
Permitted to make payments from the linked bank card to merchant 123 up to a total of 1000 rubles per week"123").limit(7,1000) money-source("wallet","card")