OAuth 2.0 Tokens

This guide is a continuation of the Yahoo OAuth setup process. It assumes that you have successfully completed the steps outlined in Authentication page.

Encode CLIENT_ID:CLIENT_SECRET

  1. Use an encoding service like base64encode.org.
  2. Encode the CLIENT_ID and CLIENT_SECRET by entering them in the following format CLIENT_ID:CLIENT_SECRET as follows:
  • Be sure there are no spaces added in the CLIENT_ID and CLIENT_SECRET keys.
  • Separate the CLIENT_ID and CLIENT_SECRET with a colon.
  1. Copy the generated ENCODED(CLIENT_ID:CLIENT_SECRET). You will need it in the REST call to generate an access token.

Generate Refresh & Access Tokens

Note

Replace the variables (enclosed by double chevrons) <<>> with the values you generated from previous steps.

POST `https://api.login.yahoo.com/oauth2/get_token`
curl "https://api.login.yahoo.com/oauth2/get_token" \
   -X POST \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -H "Authorization: Basic <<ENCODED(CLIENT_ID:CLIENT_SECRET)>>" \
   -d 'grant_type=authorization_code&redirect_uri=oob&code=<<APPLICATION_ACCESS_CODE>>'

Note

There is a single space between Basic and ENCODED(CLIENT_ID:CLIENT_SECRET).

Response Body

A successful response contains JSON with the following fields:

Fields Description
access_token The Access Token signed by Yahoo.
token_type Identifies the type of token returned. At this time, this field always has the value bearer.
expires_in The Access Token lifetime in seconds.
refresh_token The Refresh Token that you can use to acquire a new Access Token after the current one expires. For details on how, see Refreshing an Access Token in RFC 6749.
xoauth_yahoo_guid The GUID of the Yahoo user.

Example Response

{
   "access_token":"Jzxbkqqcvjqik2IMxGFEE1cuaos--",
   "token_type":"bearer",
   "expires_in":3600,
   "refresh_token":"AOiRUlJn_qOmByVGTmUpwcMKW3XDcipToOoHx2wRoyLgJC_RFlA-",
   "xoauth_yahoo_guid":"JT4FACLQZI2OCE"
}

Save the refresh_token value. This value is constant and you will use it every time you generate a new access_token. Access tokens expire in 1 hour.

You will use the access_token value to interface with the BrightRoll DSP API.

Key points to consider when working with refresh tokens:

  • Refresh tokens will not expire. They can only be invalidated explicitly by the user.
  • As a best practice, you should always capture the refresh token after using it to get a new access token. It may change, and when it does you should use the new one.
  • If you change your password, the existing refresh token should continue to work. A new refresh token will not be issued and you won’t need to request user consent and restart the OAuth flow.

Refresh Access Token

Since access tokens expire after 1 hour, it is necessary for you to obtain a new access token periodically. You can use the refresh_token to obtain a new access token.

POST https://api.login.yahoo.com/oauth2/get_token
curl "https://api.login.yahoo.com/oauth2/get_token" \
   -X POST \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -H "Authorization: <<ENCODED<CLIENT_ID:CLIENT_SECRET>>>" \
   -d 'grant_type=refresh_token&redirect_uri=oob&refresh_token=<<refresh_token>>'

Example Response

{
   "access_token":"Jzxbkqqcvjqik2IMxGFEE1cuaos--",
   "token_type":"bearer",
   "expires_in":3600,
   "refresh_token":"AOiRUlJn_qOmByVGTmUpwcMKW3XDcipToOoHx2wRoyLgJC_RFlA-",
   "xoauth_yahoo_guid":"JT4FACLQZI2OCE"
}

Using the Access Token

With a fresh access_token, you will include it’s value in the X-Auth-Token header for each request to the BrightRoll API.

For more information, see Authorization Code Flow for Server-side Apps on Yahoo! Developer Network.