OAuth 2.0 | Yoco Developer Hub

OAuth 2.0 provides secure access to merchant resources through the Yoco API. This implementation uses the ‘authorization code flow’, which enables applications to access merchant data on behalf of the merchant after obtaining explicit authorisation.

Supported flows

Yoco exclusively supports the OAuth 2.0 authorization code flow.

The following flows are not supported:

Authorization code flow

The diagram illustrates these critical phases:

Authorization request initiation

Your application redirects the merchant to Yoco’s authorization server with required parameters including client ID, scopes, and a state parameter for security.

Authorization code exchange

Your application receives an authorization code and exchanges it for access tokens, id tokens and refresh tokens using your client credentials.

Requirements and limitations

Token management

Access tokens expire after 14 days (336 hours).
Refresh tokens expire after 60 days (1440 hours).
Tokens must be stored securely and should never be exposed to end users.

Application approval

Sandbox applications can be created and tested without approval.
Live applications need to be submitted for review before going live.
Each environment (sandbox/live) requires a separate application.

Terminology

Access token: A credential used to access protected resources.
Refresh token: A credential used to obtain new access tokens.
Authorization code: A short-lived code obtained during the authorisation process. It is exchanged for an access token at the end of the OAuth flow.
Client ID: Your application’s unique identifier.
Client secret: A secret key used to authenticate your application. This is only displayed once when you create your application; make sure to store it securely.

For more details about OAuth 2.0 terminology, see the official OAuth 2.0 specification, on which Yoco’s implementation is based.