Setting up your applications

Before you can implement OAuth 2.0 with Yoco, you need to create and configure OAuth applications for both sandbox testing and live use.

Coming soon

This functionality is still being built and represents a future state. Stay tuned for updates as we continue to develop this feature.

Prerequisites

  1. Create a developer account in the Yoco Developer Console
  2. Understand the OAuth 2.0 scopes your application will need

Application setup process

You’ll need to register separate applications for sandbox and live environments, each with their own configuration and credentials.

  1. Create a new sandbox application
  2. Select the OAuth scopes your application needs
    • Choose only the scopes necessary for your application’s functionality
    • Follow the principle of least privilege - request minimal access
    • Each scope provides access to specific API resources
  3. Configure your redirect URL
  4. Note your Client ID
  5. Store your Client Secret securely - it will only be shown once
  1. Create a new live application
  2. Select the OAuth scopes your application needs
    • Choose only the scopes necessary for your application’s functionality
    • Follow the principle of least privilege - request minimal access
    • Each scope provides access to specific API resources
  3. Configure your live redirect URL
  4. Submit your application for approval
  5. Once approved, note your Client ID
  6. Store your Client Secret securely - it will only be shown once

Important considerations

Scope selection

  • Minimal access: Only request the scopes your application actually needs
  • Clear purpose: Understand what each scope provides access to
  • Security: More scopes mean broader access; follow principles of least privilege

Redirect URLs

  • Always use HTTPS (HTTP is allowed only for localhost in sandbox)
  • Must match exactly the URL you provide during the authorization flow

Client secrets

  • One-time display: Client secrets are shown only once when created
  • Secure storage: Store secrets securely in your application’s configuration