OAuth 2.0 | Yoco Developer Hub

OAuth 2.0 provides secure access to merchant resources through the Yoco API. This implementation uses the ‘authorization code flow’, which enables applications to access merchant data on behalf of the merchant after obtaining explicit authorisation.

Supported flows

Yoco exclusively supports the OAuth 2.0 authorization code flow.

The following flows aren’t supported:

Authorization code flow

The diagram illustrates these critical phases:

Authorization request initiation

Your application redirects the merchant to Yoco’s authorization server with required parameters including client ID, scopes, and a state parameter for security.

Authorization code exchange

Your application receives an authorization code and exchanges it for access tokens, id tokens and refresh tokens using your client credentials.

Requirements and limitations

Token management

Access tokens expire after 14 days.
Refresh tokens expire after 60 days.
Store tokens securely and never expose them to end users.

Application approval

You can create and test sandbox applications without approval.
You need to submit live applications for review before going live.
Each environment, whether sandbox or live, requires a separate application.

Terminology

Access token: A credential used to access protected resources.
Refresh token: A credential used to obtain new access tokens.
Authorization code: A short-lived code obtained during the authorisation process. It’s exchanged for an access token at the end of the OAuth flow.
Client ID: Your application’s unique identifier.
Client secret: A secret key used to authenticate your application. This is only displayed once when you create your application; make sure to store it securely.

For more details about OAuth 2.0 terminology, see the official OAuth 2.0 specification.