Managing authorization
After redirecting merchants to the authorization URL, they will log in and accept or deny consent to the requested scopes.
Your application must be able to handle both scenarios.
Handling the authorization response
After the merchant grants or denies access, Yoco’s authorization server redirects them back to your application. Your application should handle both success and error responses.
Success response
When authorization succeeds, the redirect includes:
Always validate the state
parameter to prevent CSRF attacks.
Error response
When authorization fails, the redirect includes error details:
Common error codes include:
access_denied
- Merchant declined authorizationinvalid_client
- Invalid client ID or configurationinvalid_request
- Malformed authorization request
In the case of a failed authorization, your application should display a relevant message to the user.
Refreshing access tokens
Access tokens expire and need to be refreshed using the refresh token.
Refresh request
Handling refresh failures
Your application must handle refresh token expiration:
- Expired refresh token: Redirect user to authorization URL to re-grant consent
- Revoked access: User has revoked your application’s access
- Invalid client: Check your client credentials
Logout endpoint
Implement logout functionality with the RP-initiated logout endpoint:
Requirements:
- Configure
post_logout_redirect_uri
in your OAuth application settings - Include the user’s
id_token_hint
in the request - Use a
state
parameter to maintain session state
Security best practices
- Always verify the
state
parameter to prevent CSRF attacks - Store tokens securely (encrypted, server-side only)
- Use HTTPS for all OAuth-related requests
- Implement proper error handling for all scenarios
- Never expose client secrets or tokens in frontend code