Yoco APIAuthenticationOAuth 2.0

Scopes

This page outlines the OAuth 2.0 scopes available for the Yoco API.

To view which scopes apply to a given API endpoint, refer to the API reference.

Yoco API scopes

The following scopes are available for OAuth applications:

business/capital_advances:read

Read access to a business’s Capital advances.

business/capital_offers:read

Read access to a business’s Capital offers.

business/orders:read

Read access to a business’s orders, payments & refunds.

business/orders:write

Access to create a business’s orders and payment links.

business/payouts:read

Read access to a business’s payouts.

business/webpos:read

Read access to a business’s Web Point of Sale devices.

business/webpos:write

Access to create and manage a business’s Web Point of Sale devices.

business/webhooks:read

Read access to a business’s webhook registrations.

business/webhooks:write

Access to create and manage a business’s webhook registrations.

profile

Access to the end user’s full name and email address. The id_token and /userinfo endpoints return this additional information.

The following additional fields are available:

  • user_name: The user’s full name.
  • user_email: The user’s email address.

OAuth 2.0-specific scopes

The following scopes are only available for OAuth applications:

offline_access

Allows the application to receive a refresh token for obtaining new access tokens without requiring the merchant to re-authenticate.

openid

Allows the application to receive an id_token, which contains information about the authenticated user.

The following information about the authenticated user is available in the id_token:

  • user_id: The unique identifier for the user.
  • default_business_id: The unique identifier for the user’s default business. Note: this may differ from the authorized_business_id, which refers to the business that the user authorised during the OAuth 2.0 consent flow.
  • business_ids: A list of all businesses associated with the user.

Additionally, by requesting the id_token, the application also receives access to the /userinfo endpoint, which returns the same information about the authenticated user.