Scopes

This page outlines the OAuth 2.0 scopes available for the Yoco API.

OAuth 2.0 Scopes

Yoco API supports the following standard OAuth 2.0 scopes:

offline_access

Allows the application to receive a refresh token, which can be used to obtain new access tokens without requiring the merchant to re-authenticate.

openid

Allows the application to receive an id_token, which contains information about the authenticated user.

The following information about the authenticated user will be available in the id_token:

  • user_id: The unique identifier for the user.
  • default_business_id: The unique identifier for the user’s default business. Note: this may differ from the authorized_business_id, which refers to the business that the user authorised during the OAuth 2.0 consent flow.
  • business_ids: A list of all businesses associated with the user.

Additionally, by requesting the id_token, the application will also receive access to the /userinfo, which returns the same information about the authenticated user.

Yoco API Scopes

To view which scopes apply to a given API endpoint, refer to the Yoco API documentation.

In addition to the standard OAuth 2.0 scopes, the Yoco API supports the following additional scopes:

business/orders:read

Read access to a business’ orders, payments & refunds.

business/orders:write

Access to create a business’ orders and payment links.

business/payouts:read

Read access to a business’ payouts.

profile

Access to the end user’s full name and email address. This additional information will be returned in the id_token and /userinfo endpoint.

The additional fields that will be available are:

  • user_name: The full name of the user.
  • user_email: The email address of the user.