Last night I mentioned that we'd have a few more announcements on the Yahoo! Developer Network today.

I just posted the latest: Browser Based Authentication or BBAuth as we like to call it.

Our Browser Based Authentication (BBAuth) is a generic mechanism that will allow users to grant 3rd party web-based applications access their Yahoo! data. There's already a similar mechanism in place on Flickr and used by services like MOO. BBAuth is the protocol that's going to open the door to doing the same thing for many Yahoo! branded services in the coming months. Stay tuned for those announcements. :-)
Beyond that, BBAuth also makes it possible to use Yahoo! as a single sign-on for your site, thus removing a barrier to entry for a whole lot of people (over 200 million to be exact). This is still fairly experimental, so we'd love to get your feedback and input on how to make it even more useful.

The first two Yahoo! services supporting BBAuth are Yahoo! Photos (API) and Yahoo! Mail (API only available to Hack Day attendees at the moment).

This was a long time in the making, so it's quite a relief to get it out the door. Special thanks to the folks in Photos and Mail for getting support enabled in time for Hack Day.

And special thanks to Dan Theurer, who did a ton of the work on the YDN side. See Launching the Un-Launch-Able post for his take.

Posted by jzawodn at September 29, 2006 10:02 AM

Reader Comments
# Gregor J. Rothfuss said:

Very cool! Any chance for OpenID support?

on September 29, 2006 10:31 AM
# Ryan Tate said:

What can I as an application developer do using the authentication API?

This doesn't seem to be answered on the site you linked to, at least not clearly.

Can I store arbitrary key=>value pairs? More than that? What Yahoo data can I ask the user to grant me?

I could not find any of these nitty gritty details, which basically constitute why I would want to use the service. The FAQ outlined the limits of the service before it really told me what the service was (that's like the first FAQ question, but the answer is vague marketing stuff).

This seems exciting. Dave Winer seems to think so. Just confused on what exactly this enables.

on September 29, 2006 11:02 AM
# Nikhil said:

Return of the Yahoo

I have been wanting to talk about Yahoo and their aggressive pursuit of Google in the Internet space for awhile. The biggest manifestation of this has been their courting of developers to leverage their ecosystem. But this is big - this IMHO puts them abreast if not ahead of Google right now.

on September 29, 2006 11:27 AM
# Marc Canter said:

Tee Hee Hee - now just imagine if one product supported BB Auh, imported Facebook and gatewayed to OpenID.

Hmmmmmm - I know we can call it a PeopleAggregator.


Love yah babe! Sorry I couldn't make it there - but my soula nd spirit are with you.

on September 29, 2006 12:09 PM
# PartyOn said:

I liked it better in 2001 when it was called Hailstorm!

on September 29, 2006 01:07 PM
# Dick Hardt said:

Hey Jeremy

While I think this is great for Web 2.0 developers to get access to Yahoo services, it would have been *so* much better if it would have been a user-centric model. Hopefully this is a first step in Y! adopting a user-centric model in the future. I wrote a little about it at:

on September 29, 2006 03:17 PM
# James Day said:

I'm keen to ensure that no part of the information I trust Yahoo with is leaked to other sites, including the existence or otherwise of a Yahoo account. As a user, how can I ensure that the requests are always automatically rejected without giving the calling site a clue about whether I do or do not have a Yahoo ID?

Congratulations on the launch, though! It's an area where the technical me and end user me have different views.

on September 29, 2006 04:27 PM
# Jeremy Zawodny said:


The third party never sees any data about you--only that which you tell them yourself.

on September 29, 2006 04:36 PM
# Warren said:

So if I'm understanding this right, this is Yahoo's answer to the thing Microsoft has had for the last 4 or so years (PassPort)?

on September 29, 2006 04:57 PM
# Jeremy Zawodny said:

Not really, no.

This is simply an easier on-ramp for users getting onto new services. It benefits new sites, existing Yahoo users, and it's free for both parties.

Does "the thing Microsoft has had" feel like they opened up a larger userbase to third party sites with few strings attached? If so, I'd like to know what that thing is.

on September 29, 2006 05:02 PM
# Ram Adan said:

Comparing to Google's Account Authentication API (GAAAAAAA....)

I suppose YaHoo's advantage is the much larger pool of Yahoo users?
Technically, it's the same, no?


on September 29, 2006 08:28 PM
# Kevin Howard said:

Like Ryan I am a little confused about the wider benefits of BBauth. My initial take is that it encourages people to register with Yahoo so they can access a third party sites which require registration and use BBauth. However, presumably the operators of third party sites can't access any information about their users who come in via Yahoo.

From a user perspective this may be attractive, but it doesn't seem very attractive to the third party site operator.

on September 29, 2006 10:02 PM
# Jitendra said:

I am not sure how this is different from typekey from SixApart? What kind of data is going to be accessible to third party apps?

on September 29, 2006 11:19 PM
# Kingsley Idehen said:

Why not OpenID? I would suggest some clarification about this matter as it will ultimately affect the uptake of this effort.

My $0.02 :-)

on September 30, 2006 06:55 AM
# Kevin Roth said:

In the Y! developer network table of contents, the item labeled "Design Pattern Library" has a tool tip that reads "Sweet, tasty pattens!". I would guess that's a typo?

on September 30, 2006 08:00 AM
# marble2 said:

As a third party site we find it very attractive and are working on integration now. With the user hash it's a starting point for a relationship with the member, that can provide a key into the side door for you to start customizing the experience for the visitor.

It's step number one from a visitor who you'll probably never see again to someone who had a good, fast authentication experience that worked with something they already have.

Growing from a small to big site you face a lot of hurdles - people show up, like what you have to say but grimace about another username and password. Then they see that their handy dandy yahoo! login gets them quick access to comment or start getting involved. After that initial step you can then work on expanding the proposition to the user and convert them to deeper membership levels.

It's like meeting a girl at a bar - you didn't get her phone number but she got yours. It's at least the start of what could become a relationship, not a fleeting read and leave.

on October 1, 2006 09:23 AM
# Lloyd D Budd said:

It would have been excellent if out of the gate you had implimented OpenID API. I look forward to being able to really get excited about BBAuth.

on October 1, 2006 05:29 PM
Disclaimer: The opinions expressed here are mine and mine alone. My current, past, or previous employers are not responsible for what I write here, the comments left by others, or the photos I may share. If you have questions, please contact me. Also, I am not a journalist or reporter. Don't "pitch" me.


Privacy: I do not share or publish the email addresses or IP addresses of anyone posting a comment here without consent. However, I do reserve the right to remove comments that are spammy, off-topic, or otherwise unsuitable based on my comment policy. In a few cases, I may leave spammy comments but remove any URLs they contain.