- Redirect the Business User to Yelp's authorization page
- After the user authorizes your application, an authorization code is returned to your application.
- Redeem the authorization code for an access token.
- Use the access token to make request on behalf of the business user.
Your application must redirect the business user’s browser to Yelp's authorization URL. This will be in the form of a GET request and you must provide the necessary GET parameters.
On the Yelp Login Page the business user will enter in their username and password to authorize the client to make requests for the specific oauth scopes on their behalf.
The login page sent back to the business user contains an
X-Frame-Option SAMEORIGINheader. This prevents the login page from being embedded in a non-Yelp frame.
|Required||ID assigned by Yelp for the third-party system that will make user-authorized requests to Yelp.|
|Optional||An endpoint provided by the client. After the user has entered their credentials, Yelp will redirect to this endpoint, submitting either the authorization code or an error message. If this parameters is not supplied, the default redirect URI submitted during client registration will be used.|
|Required||A string denoting the type of response. In the case of requesting an authorization code, this value will be |
|Required||A space delimited list of actions that the business user is authorizing the client to perform.|
Yelp must enable your application for each scope, do not request scopes you don't have access to.
|Required||A unique string generated by the client to maintain state between the request and the callback. Used to prevent CSRF|
The user will be shown a confirmation dialog naming your application and the permissions(scopes) you requested:
Once the business user’s credentials are validated and they have authorized your application, an authorization code is sent back to the client’s redirect URI.
|code||A unique code that will be used by the client to redeem an access token.|
|state||The state passed into the initial request. Verify this is the same as in the request to Yelp to prevent CSRF|
The Authorization Code expires in 5 minutes so the client should redeem the authorization code for an access token immediately. You should verify that the state parameter matches the parameter from the original authorization request to prevent possible CSRF.
Using the authorization code assigned for that business user, the Get Access Token endpoint will send back an access token. The Access Token expires in 7 days. When it expires the client should refresh the token.
Once you have the access token you can start making API calls to all oauth secured Yelp APIs which are included in the scopes you have requested. You must include the access token in the
Authorization header of the HTTP call.
curl -X GET https://partner-api.yelp.com/token/v1/businesses -H 'Authorization: Bearer <access_token>'
You can retrieve a list of all open businesses associated with a specific business user's access token.
The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.
- Authorization Code: 5 minutes
- Access Token: 7 days
- Refresh Token: 365 days
For the following error scenarios, Yelp will send back an error code to the redirect URI. If a state was provided in the the original request, it will be included in the error response.
If the client_id is not submitted or invalid, or an invalid
redirect_uriis submitted, Yelp will display an error message to the business user as there is no way of notifying the client without a
client_idand a valid
If no client_id is provided, a 404 Not Found will be returned.
|Error Code||Description||HTTP Code|
|invalid_request||The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.||400 - Bad Request|
|access_denied||The state supplied in the request is not unique/has been used before.||403 - Forbidden|
|invalid_scope||The request is unauthorized for the given scope.||400 - Bad Request|
|unsupported_response_type||Unsupported response type.||400 - Bad Request|
|server_error||Server error.||500 - Internal Server Error|
Error Response Template:
Updated about 1 year ago