Refresh Access Token

Since access tokens expire after one hour, you must obtain a new access token periodically.

Best Practices

Key points to consider when working with refresh tokens:

  • Refresh tokens do not expire. They can only be invalidated explicitly by the user.
  • As a best practice, immediately capture the refresh token after using it to get a new access token. It may change, and when it does you should use the new one.
  • If you change your password, the existing refresh token should continue to work. A new refresh token will not be issued and you won’t need to request user consent and restart the OAuth flow.

Generate New Access Tokens

To obtain a new access token, send a request to the YDN authorization server specifying your ENCODED(CLIENT_ID:CLIENT_SECRET) and REFRESH_TOKEN.

  1. Run the following cURL command using your refresh_token.
  • Substitute your ENCODED(CLIENT_ID:CLIENT_SECRET) for the <<ENCODED(CLIENT_ID:CLIENT_SECRET)>> placeholder.
  • Substitute your REFRESH_TOKEN for the <<REFRESH_TOKEN>> placeholder.
curl "https://api.login.yahoo.com/oauth2/get_token" \
   -X POST \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -H "Authorization: Basic <<ENCODED<CLIENT_ID:CLIENT_SECRET>>>" \
   -d 'grant_type=refresh_token&redirect_uri=oob&refresh_token=<<REFRESH_TOKEN>>'

The YDN authorization server returns the JSON response.

{
   "access_token":"Jzxbkqqcvjqik2IMxGFEE1cuaos--",
   "token_type":"bearer",
   "expires_in":3600,
   "refresh_token":"AOiRUlJn_qOmByVGTmUpwcMKW3XDcipToOoHx2wRoyLgJC_RFlA-",
   "xoauth_yahoo_guid":"JT4FACLQZI2OCE"
}
  1. Copy and save the value of the refresh token in the response. You will need it to regenerate the OAUTH access tokens which do have a lifetime of 1 hour.

Response Fields

A successful response contains the following fields:

Fields Description
access_token The access token signed by Yahoo. Use this token to access BrightRoll DSP API. This token has a 1-hour lifetime.
token_type Identifies the type of token returned. At this time, this field always has the value bearer.
expires_in The access token lifetime in seconds.
refresh_token The refresh token that you can use to acquire a new access token after the current one expires. For details on how, see Refreshing an Access Token in RFC 6749.
xoauth_yahoo_guid The GUID of the Yahoo user.