Yandex OAuth implementation
Yandex services authorize applications via tokens. Each token is an alphanumeric sequence encoding the following information:
The ID of the account that can be accessed.
The ID of the application that was granted access.
A set of permissions (actions allowed for the application).
The general principles of using Yandex OAuth tokens are explained below.
Applications use the following flow for requesting tokens:
The application includes the received token in a request to a Yandex service that supports OAuth.
The received token can be stored in the application and used for requests until it expires.
The token lifespan is how long the token can be used for authorization. The maximum lifespan depends on the permissions selected during application registration:
- Perpetual token
Never expires and can only be revoked by the user.
During application registration, the lifespan is displayed as "indefinite".
- Renewable token
Expires after several months, but is renewed each time this token is used for authorization.
The minimum lifespan is displayed during application registration, such as “at least 1 year”.
- Limited token
Expires after the duration specified for the respective access permissions.
If multiple permissions were selected during application registration, the shortest time limit is applied to the token. For example, permissions to access Yandex.Metrica are set to 1 year, while permissions for using Yandex.Post Office are set to 180 days. This means that a token with permissions for both Yandex.Metrica and Yandex.Post Office will be valid for no longer than 180 days.
Revoking a token
Users can revoke any OAuth tokens that have been issued for their accounts:
- To revoke all tokens that were ever issued for an account, the user can change the password or log out of all computers.
- To revoke tokens that were issued to a specific application, the user can deny access for this application on the applications page.
An application can revoke its own token if it was issued for a specific device.
All situations for revoking a token are listed on the page Revoking tokens.