Device token
Yandex.OAuth allows requesting a token for an application on a specific device. To do this, the token request or authorization code must specify the device ID and name (the device_id
and device_name
parameters described in the request parameters in this document). The user can see this name on the access management page in Passport. If only the ID is specified without the name, the token is marked as issued for an unknown device.
Revoking a token on a specific device
Use a request to Yandex.OAuth to revoke a token issued for a specific device, for example, to guarantee logging out of an account.
To revoke a token, pass it to Yandex.OAuth with the application ID and password.
Application authentication
Requests to Yandex.OAuth should specify the ID and password that were generated during application registration.
There are various ways to pass them in the request:
-
In the
Authorization
header, base64-encoded in the<client_id>:<client_secret>
string. In this case, specify theBasic
authorization method.Header example:
Authorization: Basic NDc2MDE4N2Q4MWJjNGI3Nzk5NDc2YjQycjUxMDM3MTM6ZjI1YmViZjk5MWZmNDE5ODkzZGIyNTU3MjhlNGUxZGU=
-
In the body of the POST request, in the client_id and client_secret parameters. These parameters must be passed at the same time.
If Yandex.OAuth receives the Authorization
header, the client_id
and client_secret
parameters in the request body are ignored.
Request format
Send the request over the HTTPS protocol using the POST method.
Request format for revoking a token:
POST /revoke_token HTTP/1.1
Host: oauth.yandex.ru
Content-type: application/x-www-form-urlencoded
Content-Length: <
length of the request body>
[Authorization: Basic <
encoded client_id:client_secret string>
]
access_token=<token to revoke>
[& client_id=<
application ID>
]
[& client_secret=<
application password>
]
Parameter | Description |
---|---|
Required parameter | |
access_token | The OAuth token to revoke. |
Additional parameters | |
client_id | Application ID. Available in the application properties (click the name of the application to open its properties). This parameter is required if the Authorization header was omitted in the request. |
client_secret | Application password. Available in the application properties (click the name of the application to open its properties). This parameter is required if the Authorization header was omitted in the request. |
Parameter | Description |
---|---|
Required parameter | |
access_token | The OAuth token to revoke. |
Additional parameters | |
client_id | Application ID. Available in the application properties (click the name of the application to open its properties). This parameter is required if the Authorization header was omitted in the request. |
client_secret | Application password. Available in the application properties (click the name of the application to open its properties). This parameter is required if the Authorization header was omitted in the request. |
Response format
Yandex.OAuth returns the response in a JSON document.
A response is returned with the HTTP 200 code and the following body:
{
"status": "ok"
}
If the request could not be executed, the response returns the HTTP error code and description:
{
"error_description": "Client not found",
"error": "invalid_client"
}
Key | Description |
---|---|
error_description | Human-readable error description. |
error | Error code. The table below lists possible error codes. |
Key | Description |
---|---|
error_description | Human-readable error description. |
error | Error code. The table below lists possible error codes. |
Supported error codes
HTTP response code | Error code | Description |
---|---|---|
400 | invalid_request | Invalid request format (omitted required parameter, and so on). |
400 | invalid_grant | The token that was passed does not belong to the specified app. |
400 or 401 | invalid_client | Returned in the following cases:
The HTTP 401 response code is returned if the application ID and password were passed in the |
400 | unsupported_token_type | The token can't be revoked because the request for this token did not specify the device ID (the If the token can't be revoked, you can delete it from local storage so the application loses access to the user's data. |
HTTP response code | Error code | Description |
---|---|---|
400 | invalid_request | Invalid request format (omitted required parameter, and so on). |
400 | invalid_grant | The token that was passed does not belong to the specified app. |
400 or 401 | invalid_client | Returned in the following cases:
The HTTP 401 response code is returned if the application ID and password were passed in the |
400 | unsupported_token_type | The token can't be revoked because the request for this token did not specify the device ID (the If the token can't be revoked, you can delete it from local storage so the application loses access to the user's data. |