This document introduces the Business Authentication.

Business Authentication is an OAuth 2.0-based authentication service that enables you to operate business assets, such as ad accounts and Kakao Talk Channels, on behalf of users. By introducing Business Authentication, you can safely obtain only the permissions required for managing business assets and easily provide specialized technologies for user business success through the Kakao Business API with granted authorization.

1. Refer to the documents below to complete developer account registration, app creation, and business information registration.
   • Register developer account
   • Register business information
   • Register business redirect URI
2. Apply for permission for each required business asset by following the process below.
   • Kakao Moment: Request and receive approval for [Kakao Moment] through Request additional feature.
   • Keyword Ads: No separate permission request required.
3. Configure the required business consent items by referring to Set business consent items.
4. Provide business authentication services by using the business token authorized for the business assets by the user. For the full process, see Business authentication process.

The Business Authentication process is explained below. Refer to the sequence diagram and the step-by-step explanation.

1. When a user requests Business Authentication, the service specifies the required Business consent items and requests the Get business authorization code API.
2. The Business consent screen with the specified consent items is displayed to the user.
3. If the user agrees to the consent screen, the Kakao API server sends the business authorization code to the service via the Business redirect URI.
4. The service requests the Get business token API with the authorization code to issue a business token.
5. The service uses the issued business token to operate the Business assets.

Assets provided by Kakao for users to use in their business activities. Representative examples of business assets include Ad accounts.

For a service to operate a user's business assets, it must obtain Authorization for access to each asset's information and functions through the Business consent items.

The process where the Kakao Developers asks the user for consent on the Business consent screen to provide access to the business assets requested by the service.

The service can request authorization by including the required Business consent items in the Get business authorization code API request. If the user agrees, the service receives an authorization code, which can be used to issue a business token.

Items corresponding to the access permissions for the information and functions of Business assets. Services use business consent items to request Authorization from users.

Settings that control how business consent items are requested from users for Authorization. Business Authentication supports only the required consent level, which requires users to agree to the consent screen.

A list of Business consent items that the service must configure in the app and obtain user authorization for in order to receive personal information through Business Authentication. For instructions on setting up personal information consent items in the app, refer to Prerequisites.

A list of Business consent items that must be authorized to call the Kakao Moment API through Business Authentication.

A list of Business consent items that must be authorized to call the Keyword Ad API through Business Authentication.

An access token for Business Authentication that proves a service has access permission to the Business assets information and functions.

The service uses the business token to call the Kakao Business APIs and operate business assets. Below are the details of business tokens, which differ from regular tokens.

• Issuance
  • The business token is newly issued each time when requesting the Get business token API.
• Retrieval
  • The permissions granted to the business token can be retrieve through the Retrieve business token information API.
• Expiration
  • Automatically expires after long periods of inactivity.
• Revocation
  • Revoke the business token by calling the Revoke business token API or in Account settings.

This is a security feature that ensures a successful response to the Get business token API for business authentication only when the pre-issued client secret code is included in the client_secret parameter. To check how to set, see Prerequisites.

According to Personal Information Protection Act, Article 39-12 (Protection of Information Transferred Overseas), if your service provides, outsource the processing of, or transfers users' personal information obtained through the Kakao APIs to other countries, you must notify users of the followings in advance and obtain user's consent to transferring personal information overseas.

• Particulars of the personal information to be transferred
• The country to which the personal information is transferred, transfer date and method
• Name of the entity to which the personal information is transferred (For a corporation, the name of a corporation and the contact information of the person responsible for the management of information)
• The purpose of using personal information by the entity to which the information is transferred and the period of retaining and using personal information

Transferring personal information overseas means the following cases.

• If a domestic company (in Korea) intends to transfer user information stored in Korea to a third country.
• If an overseas company (outside Korea) intends to retrieve, store, or process the user information stored in Korea.

To check how to register the transfer personal information overseas, see Prerequisites.