Yahoo Direct Authentication API Terms of Use

  1. Introduction.
    Thank you for using the Yahoo Direct Authentication application programming interface (“DirectAuth API”), which is one of many Yahoo application programming interfaces (the "Yahoo APIs"). Your use of the DirectAuth API in the development of your application (“Your Application”) is covered by the following terms:
    1. The Yahoo API Terms of Use (“API TOU”), located at; and
    2. This Yahoo Direct Authentication API Terms of Use (“DirectAuth TOU”), located at
      Subject to the restrictions set forth in this DirectAuth TOU and the API TOU, You may use the DirectAuth API and any updates provided by Yahoo (in its sole discretion). Yahoo! Inc. ("Yahoo") reserves the right to update and change, from time to time, and without notice to you, this DirectAuth TOU and all documents incorporated by reference. If you disagree with any of the terms contained in these two documents, then Yahoo does not grant you a license to use the DirectAuth API. Your use of the DirectAuth API at any time constitutes acceptance of the then-current version of the DirectAuth TOU. In the event of any inconsistency between the API TOU and the DirectAuth TOS, the latter controls.
  2. Privacy and Security
    The DirectAuth API allows you to authenticate user identifications for Your Application in a non-browser environment. Yahoo takes end user security and privacy very seriously, and You agree to give us all necessary assistance for the operation of Your Application in compliance with this DirectAuth TOS and any applicable laws. In particular, You shall comply with and agree to the following:
    1. You are solely responsible for securing clear, express consent from the User, granting You permission to access such user’s Yahoo account using the DirectAuth API, including if applicable, retrieving user-specific information, or writing information to such User’s account. At the time that you request permission to access an end user’s (“User”) information, You must clearly and conspicuously display a notice to such User that You will have access to the information contained within the User’s Yahoo Account. As part of the consent process, You must provide notice of the specific data that you will access, collect, store, write or otherwise use and you may only use the specific data within that User’s account if you have notified and disclosed Your Application’s use of that specific data to the User.
    2. You must have an accurate privacy policy that is publicly accessible. You must also present this privacy policy (or easy access to such policy) at the time that You request permission from a User to access his or her information.
    3. You must describe the method through which a User can revoke Your access to his or her Yahoo account information.
    4. You must notify the User that changing his or her Yahoo password may require the User to grant permission to You again in order to access the User’s Yahoo account information.
    5. You must notify the User that Yahoo is not affiliated with Your or Your Applications, that the information which the User has granted You permission to access is subject to Your privacy policy, and that You are solely responsible for Your use of the User’s Yahoo account information.
    6. In order to assist you in complying with the notification requirements in Section 2(a) through (e), Yahoo provides the following model notification, which You may adapt for your purposes by modifying the bracketed fields as appropriate (e.g., for “XYZ,” You would enter Your or Your organization’s name, and for “Yahoo Service,” You would enter, as an example, “Flickr.”)
      "By granting [XYZ] permission to read and write information like your [IDENTIFY SPECIFIC TYPES OF INFORMATION (e.g., Name, Photos, Contacts, etc.)] you have in [Yahoo Service], [XYZ] will be able to access the information contained within your Yahoo account. Yahoo is not affiliated with [XYZ] or any applications developed or distributed by [XYZ]. [XYZ] is solely responsible for its usage of the information you allow it to access by granting this permission (Please read the [XYZ] privacy policy [hyperlink to Your privacy policy] to learn more).
      You may revoke this permission at any time by signing in to the Yahoo Network at and selecting the ‘My Account’ link. Keep in mind that if you change your Yahoo password, you may be required to grant this permission again."
      If you do not use the model notification provided above, or use a version of this model notification that has been modified in any manner other than just by replacing the bracketed information, then You must first obtain written permission from Yahoo to use your own form of user notification.
  3. Direct Authentication and Your Systems.

    (i) Securing User Consent. You will strictly comply with the scope of express consent that Users granted You when accessing such User’s Yahoo account.

    (ii) Contact and Cooperation. You (or, if it’s not You, then the name of the contact You gave to Yahoo when You applied for Your application ID for review) must be reachable at all times for security questions or concerns. You can change this name or contact by emailing

    (iii) Virus Precautions. All materials, including software and documents, that You provide to Yahoo, must be checked with Internet industry standard up-to-date antivirus and anti-worm software, and determined to be virus-free and worm-free. Any data provided to Yahoo must not contain harmful scripts or code.

    (iv) Industry Standards. Your networks, operating system and software of its web server(s), routers, databases, and computer systems must be properly configured to Internet industry standards, as required to securely operate Your Application (the "Systems"). If You do not completely control any aspect of the System, You will use all control or influence that You have over such Systems and/or selection of Systems, and You will not architect or select Systems in a manner to avoid the foregoing obligation. An example of an unacceptable server is one that operates as open proxy. An example of architecting in an unacceptable manner would be if You select a server operated by a vendor with substandard security practices, so that You could contend that You do not control such server, in order to avoid having to select an acceptable server.

    (v) Reporting. You must promptly report to Yahoo in writing, any security deficiencies in or intrusions to Your Systems, relating to the DirectAuth API or any Yahoo user data, via email to . You will work with Yahoo to immediately correct any security deficiency, and will disconnect immediately any intrusions or intruder. In the event of any such security deficiency or intrusion, You will make no public statements (i.e. press, blogs, bulletin boards, etc.) without prior written and express permission from Yahoo in each instance.

    (vi) Control Access to Systems. To the extent You have control or influence over the Systems, You will log (in a time and date-stamped fashion) all instances of access to the Systems. You will encrypt the password and username files for the Systems that store or process any Yahoo user data that You are permitted by Yahoo to access. Passwords must be unique, unintuitive, and changed often. You will minimize access to and use of the passwords. Wherever possible, commands which require additional privileges should be securely logged (with time and date) to enable a complete audit trail of activities. When an individual terminates his or her employment with You, his or her passwords and access password facilities must be terminated immediately.

    (vii) Security Reviews. Yahoo will have the right, at its own expense, to review, or to have an independent third party that is not Your competitor, to inspect and review Your compliance with these security provisions. You will (at Your own expense) correct any security flaws detected by such a review as soon as possible. You will then promptly certify to Yahoo in writing that the security flaw has been corrected, along with a description of the corrective action(s) taken. Yahoo will give You 48 hours notice before conducting such a review, and may conduct no more than four reviews annually. Any such review will be conducted during regular business hours in such a manner as not to interfere with normal business activities. If a review reveals a material breach of any of these security provisions, You will reimburse Yahoo for the reasonable costs of the review.

  4. Term of Use
    Your license to use the DirectAuth API commences upon your initial use of the DirectAuth API and continues until terminated by either party. You may terminate this DirectAuth TOU by completely discontinuing use of the DirectAuth API. Your license to use the DirectAuth API terminates automatically if you fail to comply with any of the terms of this DirectAuth TOU or the API TOU. Yahoo may terminate this DirectAuth TOU and the API TOU at any time for any reason by (i) publicly posting a written notice of termination, (ii) sending a written notice of termination to you, or (iii) ceasing to provide You with access to the DirectAuth API.

Document version dated 2.29.08