To use Browser-Based Authentication (BBAuth), you must first register your application. The sign-up process requires that you describe what your application does, select the Yahoo! services to which your application needs access, and provide contact information. On completion, Yahoo! provides you with an application ID and shared secret for making authenticated service calls.
Because BBAuth deals with the personal data of Yahoo! users, you must provide some extra information before you can acquire an application ID. Visit the BBAuth registration page to register your application. You must be a logged-in Yahoo! user to access this page. The page displays these fields, all of which are required:
Yahoo! ID: Specifies your Yahoo! user ID. This field should be pre-populated. If the Yahoo! ID in the field belongs to someone else, log out of Yahoo!, log back in with your own Yahoo! user ID, then reload the registration page.
Developer/company name: Specify your first and last name. If you are creating an application that belongs to a company or other organization, specify the organization's name instead.
Product name: Specify the name of your application.
URL: Specify the endpoint URL to your application. When
a user logs into Yahoo! and grants your application permission to access their data,
Yahoo! redirects the user to your application's endpoint URL with some extra
GET parameters attached. One of these parameters is the
which your application will use to retrieve the user's credentials. This means
that you must design your endpoint URL to parse and store the
parameter for future use. For more information about the
token and related
parameters, refer to Logging in Your Users and
Making Authenticated Service Calls.
Contact email: Specify your contact email. This may be any working email address. Confirm your email address in the next field.
Description of application: Provide a short description of what your application does. For example, "This application provides an alternate interface for uploading photos to photos.yahoo.com, optimized for mobile devices."
Properties: Select the Yahoo! services to which your application needs access. Individual Yahoo! business units choose whether to expose authenticated services, and if so, which services to expose.
You may select as many services as necessary to enable your application to function. Although these permissions are fixed at registration time, try to keep your application's permissions tightly scoped. Users can view these permissions when they log in, and if the permissions are too broad, they are more likely to deny your request for access.
Note: You cannot change any of these fields after you register your application. To access different properties or use a different endpoint URL, you must register a new application.
After you submit your application information, Yahoo! needs to verify that you own the domain for your application. The page displays a randomly generated filename and a randomly generated string phrase. To perform the verification:
Create a file in your domain root using the specified file name. For example, if the
file name is
ydntpoZbQ, and your domain name is
yourdomain.com you should create the file at
Copy the random phrase and paste the results in the file.
Click the Check Domain button. If Yahoo! verifies that the file is present, the page displays a result of "Pass" in green, and the Continue button becomes active.
Once your application is registered, delete the file.
Click the Continue button. The page displays two long strings:
Store these values in a place where you will not lose them; you need them to make authenticated web service calls. If you lose either one, you must register a new application.
Now that you have an application ID and a shared secret, you can build your application. The next step is to learn how to log in your users. When a user logs in, Yahoo! provides you with the user's token, which represents the user's permission to allow your application access to their data.
Logging In Your Users explains how to direct your users to a Yahoo! login page so that they return with a token. You can use this token to retrieve the user's credentials.
BBAuth and related topics are discussed on the ydn-auth mailing list.