<% user.full_name %>
<% util.level ? util.level.title : '' %>
Explorer Pioneer Apollo Viking Voyager Pathfinder Orion
Points
<% user.points ? user.points.toLocaleString() : 0 %>
Badges
<% util.badgeCount %>
Streaks
Congratulations You've <% util.newestBadge.isCurriculum ? 'completed' : 'earned' %> the
<% util.newestBadge.title %> <% util.newestBadge.isCurriculum ? 'curriculum' : 'badge' %>!
previous
next
Share to Social Media
Linked In Facebook
Status
<% util.level ? util.level.title : '' %>
<% util.level ? util.level.points : '' %>
<% util.nextLevel ? util.nextLevel.title : '' %>
<% util.nextLevel ? util.nextLevel.points : '' %>
Level up! <% util.levelPointsRemaining %> points to go
Level up! <% util.levelPointsRemaining %> points to go
Badges
Completed Hitchhikers Program Track Completed Content Track Completed Pages Track Completed Page Builder Track Completed Search Backend Track Completed Search Frontend Theme Track Completed Search UI React Track Completed Solution Templates and the Admin Console Track Completed Technical Skills Track Completed Platform Basics Track Completed Listings Track Completed Reviews Track Completed Industry Overview Track Completed Analytics Track Completed Industry Overview & Product Basics Track Completed Knowledge Assistant Track Completed Multi-Language Experiences Track Completed Fall '22 Release Highlights Track Completed Spring '23 Release Highlights Track Completed Chat Track Completed Summer '23 Release Highlights Track Completed Fall '23 Release Highlights Track
<% util.expandBadges ? 'Less' : 'More' %>
Playground Accounts
New +
No Playground Accounts
Create Playground +
View Profile
Log Out loading
Mission Complete! 🚀
Congratulations, you’ve completed your first module!

We hope you enjoy exploring the rest of the site. Please don’t forget to leave us feedback - we are constantly looking to improve. Happy Hitchhiking!
Home
Welcome to Hitchhikers! 👋
To learn more about the platform we encourage you to get started by completing the Hitchhikers Program Track and earning your first badge!
Start Here
Close notification
Guide
OAuth and Permission Scopes
Arrow Back
Completed
Introduction
Introduction
completed
Completed 1
Step 1
Setup OAuth Process
completed
Completed 2
Step 2
Handling OAuth Error Cases
completed
Completed 3
Step 3
Using APIs with OAuth access tokens
completed
home

Step 1: Setup OAuth Process

Overview

To initiate the OAuth process, redirect the customer to the URL below, providing your app’s client ID, redirect URI, and any state your app needs on redirect (usually an anti-forgery token to prevent CSRF attacks).

URL to start OAuth process with Yext

// Note domain is different than API endpoints domain
https://api.yext.com/oauth2/accesstoken
        client_id=<CLIENT_ID>&
         redirect_uri=<REDIRECT_URI>&
         state=<STATE>&
         response_type=code
         grant_type=authorization_code

We recommend using a 470 x 600 pixel popup window to collect the customer’s information.

The redirect URI should:

  • exactly match a domain (including subdomain) found in the list of OAuth Redirect Domains in the App configuration
  • be fully URL-encoded, and
  • be an absolute URI, including the protocol (https%3A%2F%2F, for example)

Permission Scopes

Permission scopes are not specified during the OAuth flow; they are configured when you create or edit your app with the Permissions and Endpoints values in the App Directory configuration.

If the customer successfully authenticates and authorizes the app, Yext will redirect the customer back to your app with:

Successful authentication/authorization redirect URL

// If your URI does not contain query parameters, appended with ?
<REDIRECT_URI>?code=<AUTHORIZATION_CODE>&state=<STATE>
 
// If your URI contains query parameters, appended with &
<REDIRECT_URI>&code=<AUTHORIZATION_CODE>&state=<STATE>

Your app will receive an authorization code and any state you specified. With the authorization code, your app should make a server-side HTTPS POST call to the OAuth access token endpoint with your app’s client ID, API key, authorization code, and redirect URI (used for validation, not for callback) in a standard Content-Type: application/x-www-form-urlencoded body:

Access token API endpoint

// Note domain is different than domain in URL to start OAuth process
https://api.yextapis.com/oauth2/accesstoken

POST request, exchanging authorization code for access token

POST /oauth2/accesstoken HTTP/1.1
Host: api.yextapis.com
Content-Type: application/x-www-form-urlencoded
 
client_id=<CLIENT_ID>&
client_secret=<CLIENT_SECRET>&
code=<AUTHORIZATION_CODE>&
redirect_uri=<REDIRECT_URI>&

REDIRECT_URI

Your call to the accesstoken endpoint must exactly match the used in your initial authorize call, including domain, path, and query parameters.

If successful, you will receive an HTTP 200 response with a JSON payload containing the access token, app-specific account ID, and account name:

{
    “access_token”: “<ACCESS_TOKEN>”,
    “appSpecificAccountId”: “<APP_SPECIFIC_ACCOUNT_ID>”,
    “accountName”: “<ACCOUNT_NAME>”,
}

You can now use this access token to make calls to the Yext APIs, as well as the app-specific account ID for identifying webhook payloads. You are free to show the account name in your UI to let the customer know that they have successfully linked their Yext account.

light bulb
Note
Access tokens should be stored securely (e.g., encrypted at rest), as they are analogous to customer passwords. Never expose the access token outside of a secure connection with Yext during API calls.
Feedback
<% elem.innerText %>