Authorization and Headers

This article describes authentication and authorization configurations required to access and use the DSP Traffic API.


The Yahoo DSP API uses the OAuth 2.0 protocol as a simple and secure method for handling authentication and controlling access.

Yahoo DSP supports the server-side application profile only. Your YDN app is a web-based application that provides user access via an HTML-based user agent. Client credentials and tokens are issued and stored on the web server and are inaccessible to the user.

Access to Yahoo DSP seat data is granted explicitly via a bearer token. The DSP Traffic API is accessible via an access token that is issued to the YDN app.


The Yahoo DSP API one-time setup specifies the steps that every YDN app must follow to enable OAuth support, obtain API access to the platform, and make requests using the |api|s. To learn more, see Obtain OAuth Credentials (YDN).

Once you have the OAuth authentication credentials for your YDN app, your client application can request an access tokens from the YDN authorization server. These OAuth tokens will enable your application to access the Yahoo DSP API in all subsequent requests. The access token is a temporal credential that enables the YDN app to make requests. The refresh token is a persistent credential that enables the YDN app to generate new access tokens. To learn more, see Generate OAuth Tokens (YDN).

The lifetime of an access token is limited to one hour. If your YDN app needs to access an API beyond the lifetime of a single access token, it can generate a new access token using its refresh token. To learn how to refresh tokens, see Refresh YDN Access Token.


Include the value of your fresh access_token in the X-Auth-Token header of each request made to the DSP Traffic API.

curl -X POST ""
  -H "Content-Type: application/json"
  -H "X-Auth-Method: OAuth2"
  -H "X-Auth-Token: Shp3CUKR5Q..."

All requests to the DSP Traffic API must contain the following headers:

Table 13 Required Headers










Use the Sandbox Environment environment to validate workflows.

You cannot use your production account to access the sandbox.

When you are ready to switch to production system with live campaigns, double check the following:

  • Confirm that the API hostname is correct. Should be

  • Ensure that you are using access tokens generated using your production account.