Access token scope

When invoking a protocol operation, you must pass an access token that has the necessary permissions. The list of permissions is requested as the scope parameter value of call authorize OAuth2-application authorization by the user; permissions are separated by a space.

The possible permissions are listed below:

Permission Description
account-info To get information about the account status (see the account-info method).
operation-history To view the history of account operations (see the operation-history method).
operation-details To view details of a particular operation (see the operation-details method).
incoming-transfers To accept/cancel incoming transfers with a secret code and held for pickup.
payment To make payments to a particular merchant or transfer funds to a particular User account, see the request-payment and process-payment methods.
payment-shop To make payments to any merchant accessible via the API (see the request-payment and process-payment methods).
payment-p2p To transfer funds to any accounts, phone numbers, or email addresses of other users, see the request-payment and process-payment methods.
money-source

Available payment methods (see the methods request-payment and process-payment). For more information, see The money-source permission.

Restriction.
The following cannot be used simultaneously in "scope":
  • payment-p2p permission and payment.to-account permission
  • payment-shop permission and payment.to-pattern permission
Tip.

Some permissions require setting string values that may contain symbols that violate the scope syntax. For such symbols, use backslash escaping according to JSON format. For example: \" \\

Restrictions that apply to permissions

Restrictions (limits) may be applied to the permissions granted. Limits are specified like this:
permission_name.destination.limit

Restrictions that can be applied to permissions:

destination condition (the payment recipient)

Applies to the permission: payment.

Only one of the following conditions can be specified as a value:

  • to-pattern(patternId) — restricts sending payments only using the specified patternId.
  • to-account(to) — restricts transfers of funds only to the account of a specific user. For the recipient ID, you can use an account number, mobile phone number that is linked with the user's account, or the user's email address.

Limiting parameters:

Parameter Description
to The transfer recipient's account ID, phone number linked to the account, or email. Required parameter.
Tip.

Mobile phone number as the payee ID.

Instead of using the account number as the recipient's ID, you can use the mobile phone number associated with the account (if the recipient has one). The specified phone number must be in the format of the ITU-T E.164 Numbering plan of the international telephone service.

For Russia, this is the full number starting from 7, without the '+' symbol.

For example: 79219990099

Tip.

Email format.

Acceptable ways of formatting email addresses are described in Wikipedia. Keep in mind that email addresses may contain symbols that violate the scope syntax, such as double quotes.

For such symbols, use backslash escaping according to JSON format. For example: \" \\

Example for specifying the transfer recipient using an account number:

.to-account("41001XXXXXXXX")

Example for specifying the transfer recipient using a linked mobile phone number:

.to-account("79219990099")

Example of specifying the transfer recipient using email:

.to-account("username@yandex.ru")
limit condition (payment limit)
limit(duration,sum)

Applies to these permissions: payment, payment-shop, payment-p2p.

The limit is specified last.

Format:

  • limit(duration,sum) — limit to the total amount of payments over a period of time.
  • limit(,sum) — delegation of rights to make a one-time payment for a fixed amount.

Parameters:

Parameter Value
duration Period of time, in days. If omitted, payment can only be made once using the given permission.
sum Total amount for all payments over the period in duration, in the currency used for the account.
Tip. Conditionlimityou can use it for delegating one-time payments. The expiration of the permission is the same as for the token. The user cannot change the payment amount.
Restriction. Within onescopeyou can specify either only payments per period, or only one-time payments.
Restriction. Ifscopecontains a requirement for one-time payment, then with thepaymentright, you can only specifymoney-sourceandaccount-info, all other rights are forbidden.
Restriction. Regardless of the value of the requested limits, payments can also be subject to restrictions set by Yandex.Money for various types of transactions.

Example: payments restricted to 100 rubles and 50 kopecks per day, and the user can change the amount.

.limit(1,100.50)

Example: one-time payment of 1000 rubles and the user cannot change the amount.

.limit(,1000)

By default: limit(1,3000) — 3000 rubles per day, and the user can change the amount.

The money-source permission

Informs Yandex.Money which payment methods are supported by the application.

Format:

money-source(list_of_payment_methods)

The requested method for making a payment:

  • wallet — payments from the Yandex.Money wallet;
  • card — from the user's bank card linked to the wallet.

Default: wallet.

Restriction. Bank cards cannot be used for transferring funds to other users' accounts.

Example of payment using both a linked bank card and a wallet:

money-source("wallet","card")

Example of payment using only a linked bank card:

money-source("card")

Example of payment only from a wallet:

money-source("wallet")

Examples of values for the scope parameter

Permitted to view payment history:
account-info operation-history operation-details
Permitted to view the account balance and make payments to merchant 123 for up to 1,000 rubles per week:
account-info payment.to-pattern("123").limit(7,1000)
Permitted to make transfers to account XXXX, but no more than 500 rubles over a two-week period:
payment.to-account("XXXX").limit(14,500)
Permitted to make a one-time transfer to the account linked to phone number ZZZ, in the amount of 500 rubles:
payment.to-account("ZZZ","phone").limit(,500)
Permitted to make payments from the linked bank card to merchant 123 up to a total of 1000 rubles per week:
payment.to-pattern("123").limit(7,1000) money-source("wallet","card")