Skip to main content

Hosted Auth Overview

Doc type: Explanation

Yoyo Authorisation is a hosted authentication portal that lives on auth.yoyogroup.com (production) and auth-int.yoyogroup.com (integration). It centralizes login and establishes a shared session across Yoyo subdomains by setting HttpOnly cookies scoped to .yoyogroup.com.

Understand the flow

  • Hosted auth portal: Users sign in on the hosted portal and are redirected back to their destination app.
  • Shared cookies: The portal sets HttpOnly cookies (${AUTH_COOKIE_PREFIX}access_token, ${AUTH_COOKIE_PREFIX}id_token, ${AUTH_COOKIE_PREFIX}refresh_token) for .yoyogroup.com.
  • Consumer apps: Your app reads the cookies server-side and forwards the access token to downstream APIs.
  • Redirect safety: Redirect targets must be HTTPS and pass the redirect allowlist.

Know when to use it

Use the hosted auth portal when you want a single sign-in experience across multiple Yoyo subdomains, or when you need consistent cookie handling across SSR, SPA, and mobile surfaces.

For localhost development or external applications, use the OAuth2 Authorization Code Flow with PKCE. See Local development quickstart.

Authentication types

The hosted auth portal uses a standard OAuth2 authorization code flow with credentialed OAuth providers:

  • Credentialed OAuth: Authentication through OAuth providers with credentials (Google)
  • OAuth2 Authorization Code Flow with PKCE: Standard OAuth2 flow for SPAs, mobile apps, and external applications (client ID only, no secret required)

Note: We only support OAuth through credentialed OAuth providers. Direct email/password or passwordless authentication is not available as standalone options.

For a flow-by-flow support matrix, see OAuth 2.0 Authentication.

Coming soon configuration

Internal Yoyo applications will be able to request allowlisting for hosted auth access. See Whitelist Your Application (Coming Soon).

Complete Integration Reference

For a comprehensive single-file reference containing all integration information, environments, URLs, methods, constraints, and examples, see the complete integration reference.