The Yahoo Native Publisher API is supported by the OAuth 2.0 protocol.

The Yahoo Publisher API uses OAuth 2.0 as a simple and secure method for validation and access. The authorization model is open and based on existing standards, which ensure that secure credentials can be provisioned and verified by different software platforms. OAuth 2.0 allows you, and visitors to your web page, to securely access the Yahoo Web, Image, and News content.

As a publisher, OAuth 2.0 provides secure access to this content, using your Yahoo Ad Tech API application ID and the Yahoo Native API key to verify your authorized access privileges and allow for correct billing from Yahoo Ad Tech.

Before You Begin

Follow these steps:

  1. To begin, you need a Yahoo domain specific username, like, that is dedicated to Yahoo Ad Tech. If you don’t have one, you should create one at or

  2. Create the app and subsequent developer keys:


  • If you are creating a web application for other companies to use your software to access Yahoo Ad Tech, select Web Application as the app type. You will need a valid callback domain.

  • If you are creating a server-only connection to perform API functions restricted to your own company, use Installed Application. This does not require a callback domain to be entered; leave this blank. For subsequent API calls that require a callback url, simply enter oob.

  1. Next, you need to follow the explicit grant flow and get an authorization URL and authorize access as described in Step #2 of of the authorization code flow for server-side apps at

Using OAuth 2.0 with Yahoo Native Publisher API

Once your users connect with OAuth 2.0, your application will be able to make API calls on their behalf without requiring additional authorization from them.

The workflow is as follows:

  1. When users connect to Yahoo Ad Tech to create and manage ad campaigns, or query and fetch reports, you must send them to Yahoo Ad Tech with the client_id you received when registering your app.

  2. Users are then prompted to connect to their Yahoo Ad Tech account. After connecting, they will be redirected to your redirect_uri with an authorization code. If authorization is denied, an error code is returned.


The callback domain registered when creating an app must match the callback domain used in the API request call. The subdomain of the redirect_uri is no longer accepted. If a callback URL is involved, make sure it is encoded when passed as part of the redirect_uri parameter. For example, if the callback URL is, use

  1. You can then exchange that authorization code for an access token, which enables usage of your API calls.

OAuth Refresh Tokens

Key points to consider when working with refresh tokens:

  • Refresh tokens will not expire. They can only be invalidated explicitly by the user.

  • Access tokens will expire after 60 minutes.

  • As a best practice, you should always capture the refresh token after using it to get a new access token. It may change, and when it does you should use the new one.

  • If you change your password, the existing refresh token should continue to work. A new refresh token will not be issued and you won’t need to request user consent and restart the OAuth flow.

  • If, as an Yahoo Ad Tech API Partner, you explicitly revoke the OAuth access for your app on account info, you should request user consent again.