Application authorization flow

In order to access a user's Yandex.Money account, your application must complete the authorization process.

The OAuth2 protocol makes authorization secure and convenient. With OAuth2 authorization, applications don't need to ask users for their Yandex login and password. Instead, a user grants permission for an application to access his account within the restrictions allowed by the user.

Application authorization in Yandex.Money conforms to the following specifications:

Diagram illustrating how an application and a user interact with the Yandex.Money OAuth server:

Developer steps

  1. The developer registers the application in Yandex.Money.

    According to the OAuth2 protocol, this is the Registration Request stage. The Yandex.Money service issues the developer a client_id, which is a string type application ID.

  2. The developer embeds this client_id in the application code, declaring it a constant. Then the application can be distributed using any convenient method. The client_id remains constant during the entire application lifecycle.

How a user authorizes an application

  1. The user initializes authorization of the application for managing his account.

  2. The application sends the Authorization Request to the Yandex.Money server.

  3. Yandex.Money redirects the user to the authentication page.

  4. The user enters his login and password, reviews the list of requested permissions, and either approves or rejects the authorization request.

  5. The application receives an Authorization Response in the form of an HTTP Redirect with either a temporary authorization code or an error code.

  6. The application sends a request for an access token (Access Token Request), using the temporary authorization code in the request.

  7. The response contains the permanent access_token.

  8. The application informs the user of the authorization results.

Verifying the application's authenticity using a secret word

The Yandex.Money service provides an additional way to verify that the access token is coming from your application.

To do this, when obtaining the access token (the /oauth/token call), the application passes a secret word (client_secret) that is only known to the application.

Note. Security measures based on the secret word are effective only if the token request is sent from the application's server, bypassing the user's device or browser.

Security requirements

  1. All network interactions are transmitted only via HTTPS.
  2. The TLS version is 1.2 or later.
  3. In order to prevent compromise of authorization data, the application must verify the validity of the server SSL certificate and abort the session immediately if validation fails.
  4. Do not store the access token in unencrypted format, for example, as cookies.
  5. Never use the access token in request parameters (GET, POST etc).

  6. The secret word should never be transmitted through the user's device or browser.
  7. The secret word should not be used in any requests other than the request to get a token.