Kaizen #79 - OAuth2.0 - A Recap and FAQs

Hello everyone!

Welcome to another week of Kaizen!

Today, we will address a few frequently-asked questions about OAuth2.0 that include token generation, scopes, errors etc,.

If you have any other questions, let us know in the comment section. We will offer solutions and add them to this list.

Before we move on to common errors and their solutions, let us look at generating grant, access and refresh tokens for a client.

1. Creating a client

You must register your client on the API console to request access to users' resources. This client must handle authenticating itself to the authorization server and requesting an access token to access the users' resources.

Here is an example for creating a client for a server-based application.

2. Setting up an environment in Postman

1. On the sidebar, click Environments > + icon.
2. Enter a name for your environment.
3. Create the following variables. We will fill in their values as we go along.
   ->client-id (obtained after registering the client)
   ->client-secret (obtained after registering the client)
   ->redirect-uri (given at the time of registering the client)
   ->accounts-url
   ->access-token
   ->refresh-token
   ->api-domain
   ->expiry-time
4. Select Save to save any environment variables you have added.
   

3. Generating the authorization code(grant token)

The authorization code flow is often used when the client is a web application running on a server. This flow uses a server-side redirect URI to receive the authorization code and adds a layer of security, rather than relying on a client-side redirect URI.

What do you need?

• client ID - obtained after registering the client.
• scopes - to get consent from the users to use their data. See the available scopes here.
• response_type - the value "code" as we are requesting for an authorization code.
• access_type - online or offline(to get a refresh token along with an access token, later).

What will you get?

• code - a one-time grant token that you will use to generate access and refresh tokens.
• accounts-server - the Zoho accounts URL that you will use to generate access and refresh tokens. This is the variable accounts-url in Postman.
• location - the API domain from which you must make API calls to access data. This is the variable api-domain in Postman.

Tip:

If you do not have an application, yet, but want to test this flow, copy-paste the following URL in your browser with valid values for the various parameters. 

You will receive the grant token as a value to the key "code" in the redirect URL you specified while registering the client.

https://accounts.zoho.com/oauth/v2/auth?scope=scope_here&client_id=client_ID_here&response_type=code&access_type=offline&redirect_uri=redirect_uri&prompt=consent

Here is a GIF of this process.

Self-client

Use this option if your application does not have a domain and a redirect URL.

You can also use this when your application is a standalone server-side application performing a back-end job like data sync.

4. Generating access and refresh tokens from the grant token

Access tokens allow the application to access user's data from the resource server. Each access token is valid for an hour, after which, you must use the refresh token to generate a new access token. 

Note

Each access token is bound to the scope you specified while generating the grant token, i.e, if the scope while generating the grant token was ZohoCRM.modules.READ, you can only get data from all the modules but not update, create, or delete.

What do you need to generate access and refresh tokens?

• client_id - obtained while registering the client
• client_secret - obtained while registering the client
• redirect_uri - specified while registering the client
• code - the grant token you generated in the previous step
• grant_type - the value authorization_code

What will you get?

• access token - the token to access users' data. Valid for an hour.
• refresh token - the token to generate new access token for the same scope. Does not expire until it is revoked or till the 21st refresh token is created.
• scope - the scope for which these tokens are generated for.
• API domain - the domain to which you must make API calls to access data.
• expiry time in seconds and milliseconds - the time after which the access token expires in seconds and milliseconds. You can use this data to programmatically refresh the access token before it expires for continued access to data.

Here is how it works.

Tip:

When you use our API collection, the request to generate access and refresh tokens comes with a script that automatically updates the values of variables in your environment.

FAQs

1. Validity

• Grant token - Two minutes; one-time use only.
• Access token - One hour.
• Refresh token - does not expire until it is revoked or a 21st refresh token is created.

2. Token Limit

• Grant token - Ten grant tokens in a span of ten minutes.
• Access token - Ten access tokens in a span of ten minutes. When you generate the 11th token, the first-created one will be deleted, automatically.
• Refresh token - Ten refresh tokens in a span of ten minutes. You can have a maximum of 20 refresh tokens. When you create a 21st refresh token, the first-created one will be deleted.

The following are a few common errors you may face while generating tokens.

Error	Cause	Solution
invalid_oauth_token	The access token is either invalid or has expired.	Use the right access token or generate a new one from the refresh token.
invalid_scope	The scope you have used is invalid.	Refer to Scopes for the list of available scopes.
invalid_code	The authorization code(grant token) is invalid or has expired.	Grant token is valid only for two minutes. Use a grant token to generate access and refresh tokens within this time. Generate a new grant token if you face this error.
invalid_redirect_uri	The redirect URI you have given in the API console is invalid.	Specify a valid redirect URI to be able to receive a grant token.
invalid_client	Either the client ID or client secret is invalid.	Specify valid client ID and secret while making authorization calls. The API console has the client ID and secret.
invalid_response_type	The value of the "response_type" key is invalid.	While generating access and refresh tokens from the grant token, the value of the "response_type" key must always be "code".

Multi-DC

Zoho CRM is hosted at multiple data centers to comply with the privacy and data protection laws of various countries.

So, if your application is in the US DC but wants to use the data of users in the EU DC, you must enable multi-DC while registering your client.

The various domains and their respective accounts URLs are:

• US: https://accounts.zoho.com
• AU: https://accounts.zoho.com.au
• EU: https://accounts.zoho.eu
• IN: https://accounts.zoho.in
• CN: https://accounts.zoho.com.cn
• JP: https://accounts.zoho.jp

How do you ascertain the domain?

When you generate the grant token, the parameter location gives you the DC that the data is located in.

Similarly, when you generate the access and refresh tokens, the key api_domain gives you the domain-specific API URL.

For example, if you want to get the data of leads from EU, the API URL must be https://www.zohoapis.eu/crm/v4/Leads

We hope you found this post useful. We will meet you next week with another interesting topic.

Let us know your questions in the comment section or write to us at support@zohocrm.com.

Cheers!

Shylaja

• Topic Participants

• Shylaja S

  

• David

• Claire

• Anu Abraham

  

• Sticky Posts

• Kaizen #197: Frequently Asked Questions on GraphQL APIs

  🎊 Nearing 200th Kaizen Post – We want to hear from you! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

• Kaizen #198: Using Client Script for Custom Validation in Blueprint

  Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

• Celebrating 200 posts of Kaizen! Share your ideas for the milestone post

  Hello Developers, We launched the Kaizen series in 2019 to share helpful content to support your Zoho CRM development journey. Staying true to its spirit—Kaizen Series: Continuous Improvement for Developer Experience—we've shared everything from FAQs

• Kaizen #193: Creating different fields in Zoho CRM through API

  🎊 Nearing 200th Kaizen Post – We want to hear from you! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

• Client Script | Update - Introducing Commands in Client Script!

  Have you ever wished you could trigger Client Script from contexts other than just the supported pages and events? Have you ever wanted to leverage the advantage of Client Script at your finger tip? Discover the power of Client Script - Commands! Commands

• Recent Topics

• Converting Sales Order to Invoice via API; Problem with decimal places tax

  We are having problems converting a Sales Order to an Invoice via API Call. The cause of the issue is, that the Tax value in a Sales Order is sometimes calculated with up to 16 decimal places (e.g. 0.8730000000000001). The max decimal places allowed in

• Sorting columns in Zoho Projects

  Hi, In project management best practice, sorting columns (ascending, descending) is an important tool. Sorting dates to see the order of tasks starting, sorting on priority or even on planned hours is a must for an efficient project control. Currently,

• Business Continuity - Disaster Recovery

  I know about the Zoho CRM backup .zip files, however, this doesn't include any of the infrastructure with like custom fields or custom modules. I am curious on what everyone has in place for a true backup or what your plan is if your Zoho instance were

• Upload API

  I'm trying to use the Upload API to upload some images and attach them to comments (https://desk.zoho.com/DeskAPIDocument#Uploads#Uploads_Uploadfile) - however I can only ever get a 401 or bad request back. I'm using an OAuth token with the Desk.tickets.ALL

• Losing description after merging tickets

  Hello, We merge tickets when they are about the same topic from the same client. It happens sometimes. We recently noticed that after the merger only the description from the master ticket is left in a thread. And the slave-ticket description is erased.

• Option to Empty Entire Mailbox or Folder in Zoho Mail

  Hello Zoho Mail Team, How are you? We would like to request an enhancement to Zoho Mail that would allow administrators and users to quickly clear out entire folders or mailboxes, including shared mailboxes. Current Limitation: At present, Zoho Mail only

• update linked contacts when update happens in account

  Hi, I have a custom field called Licence in the Accounts module. When someone buys a licence, I’d like to update a custom field in the related Contacts. How can I achieve this? I noticed that workflows triggered on Accounts only allow me to update fields

• Problem Management Module

  I am looking for a Problem Management module within Zoho Desk. I saw in some training videos that this is available, and some even provided an annual price for it. I want an official confirmation on whether this is indeed available. This is not a particularly

• Deluge sendmail in Zoho Desk schedule can't send email from a verified email address

  I am trying to add a scheduled action with ZDesk using a Deluge function that sends a weekly email to specific ticket client contacts I've already verified the email address for use in ZDesk, but sendmail won't allow it in its "from:" clause. I've attached

• Unable to explore desk.zoho.com

  Greetings, I have an account with zoho which already has a survey subscription. I would like to explore desk.zoho.com, but when I visit it while logged in (https://desk.zoho.com/agent?action=CreatePortal) I just get a blank page. I have tried different

• Offline support for mobile app

  Accessing your files and folders from your mobile devices is now quicker and simpler, thanks to the power of offline support. Whether on an Android or iOS device, you can use the Offline function to save files and folders, so you can review them even

• Zoho Desk KB article embedded on another site.

  We embed KB articles from Zoho Desk on another site (our application). When opening the article in a new tab, there is no issue, but if we choose lightbox, we are getting an error "To protect your security, help.ourdomain.com will not allow Firefox to

• Zoho CRM Tracking Google Enhanced Conversions

  Can anyone @Zoho, consultants, or users help me understand if Zoho CRM is going to support Google's Enhanced Conversions? I included some information from Google below about it. We use Google Adwords for our pay per click advertising for lead generation,

• Transitioning to API Credits in Zoho Desk

  At Zoho Desk, we’re always looking for ways to help keep your business operations running smoothly. This includes empowering teams that rely on APIs for essential integrations, functions and extensions. We’ve reimagined how API usage is measured to give

• List of packaged components and if they are upgradable

  Hello, In reference to the article Components and Packaging in Zoho Vertical Studio, can you provide an overview of what these are. Can you also please provide a list of of components that are considered Packaged and also whether they are Upgradable?

• Does Attari Messaging app have Bot option and APIB

  Hi, Does Attari also have Bot and API as we use in WhatsApp??

• How to add application logo

  I'm creating an application which i do not want it to show my organization logo so i have changed the setting but i cannot find where to upload/select the logo i wish to use for my application. I have seen something online about using Deluge and writing

• Introducing Keyboard Shortcuts for Zoho CRM

  Dear Customers, We're happy to introduce keyboard shortcuts for Zoho CRM features! Until now, you might have been navigating to modules manually using the mouse, and at times, it could be tedious, especially when you had to search for specific modules

• Empowered Custom Views: Cross-Module Criteria Now Supported in Zoho CRM

  Hello everyone, We’re excited to introduce cross-module criteria support in custom views! Custom views provide personalized perspectives on your data and that you can save for future use. You can share these views with all users or specific individuals

• Send Automated WhatsApp Messages and Leverage the Improved WhatsApp Templates

  Greetings, I hope all of you are doing well. We're excited to announce a major upgrade to Bigin's WhatsApp integration that brings more flexibility, interactivity, and automation to your customer messaging. WhatsApp message automation You can now use

• Verifying Zoho Mail Functionality After Switching DNS from Cloudflare to Hosting Provider

  I initially configured my domain's (https://roblaxmod.com/) email with Zoho Mail while using Cloudflare to manage my DNS records (MX, SPF, etc.). All services were working correctly. Recently, I have removed my site from Cloudflare and switched my domain's

• Zoho Analytics Regex Support

  When can we expect full regex support in Zoho Analytics SQL such as REGEXP_REPLACE? Sometimes I need to clean the data and using regex functions is the easiest way to achieve this.

• Change of Blog Author

  Hi, I am creating the blog post on behalf of my colleague. When I publish the post, it is showing my name as author of the post which is not intended and needs to be changed to my colleague's name. How can I change the name of the author in the blogs?? Thanks, Ramanan

• Show Attachments in the customer portal

  Hi, is it possible to show the Attachments list in the portal for the particular module? Bests.

• Zoho CRM Formula - Current Time minus Date/Time field

  Hello, I am trying to prevent duplicate emails going to clients when more than 1 deal is being updated. To do this, I would like to create a formula to identify if a date/time field is >= 2 hours ago. Can someone please help me write this formula? Example:

• Does Zoho Docs have a Line Number function ?

  Hi, when collaborating with coding tasks, I need an online real time share document that shows line numbers. Does Zoho's docs offer this feature ? If yes, how can I show them ? Regards, Frank

• Please make it easier to Pause syncing

  right now it takes 3 clicks to get there. sounds silly, but can you make it just 2 clicks to get it done instead? thats how dropbox does it, 2 clicks to pause instead of 3.

• Feature Request - Insert URL Links in Folders

  I would love to see the ability to create simple URL links with titles in WorkDrive. or perhaps a WorkDrive extension to allow it. Example use case: A team is working on a project and there is project folder in WordDrive. The team uses LucidChart to create

• Organization Emails in Email History

  How can I make received Org Emails to show up here?

• how to differentiate if whatsapp comes from certain landing page?

  I create a Zobot in SalesIQ to create a Whatsapp bot to capture the lead. I have 2 landing pages, one is SEO optimized and the other want is optimized for leads comes from Google Ads. I want to know from which landing page this lead came through WhatsApp

• How to sync from Zoho Projects into an existing Sprint in Zoho Sprints?

  Hi I have managed to integrate Zoho Projects with Zoho Sprints and I can see that the integration works as a project was created in Zoho Sprints. But, what I would like to do is to sync into an existing Zoho Sprints project. Is there a way to make that

• How to record company set up fees?

  Hi all, We are starting out our company in Australia and would appreciate any help with setting up Books accounts. We paid an accountant to do company registration, TFN, company constitution, etc. I heard these all can be recorded as Incorporation Costs, which is an intangible asset account, and amortised over 5 years. Is this the correct way to do it under the current Australian tax regulations? How and when exactly should I record the initial entry and each year's amortasation in Books? Generally

• How to create a drop down menu in Zoho Sheets

  I am trying to find out, how do I create a drop down option in Zoho sheet. I tried Data--> Data Validation --> Criteria --> Text  --> Contains. But that is not working, is there any other way to do it.  Thanks in Advance.

• Show Payment terms in Estimates

  Hi,  we are trying to set up that estimates automatically relates payment terms for the payment terms we introduced on Edit contact (Field Payment terms).  How can it be done? Our aim is to avoid problems on payment terms introduced and do not need to introduce it manually on each client (for the moment we are introducing this information on Terms and Conditions.  Kind Regards, 

• How can I calculate the physical stock available for sale?

  Hey Zoho Team,  I've tried to calculate the physical stock on hand in various ways - but always receive a mismatch between what's displayed in Zoho Inventory & analytics.  Can you please let me know how the physical stock available for sale is calculated?

• When dispatched to crew, assigning lead missing

  Hello, For the past two or three weeks, whenever an officer assigns Service Appointment to a team, the lead person is missing from the assigned service list. Therefore, we have to reschedule the SA and then the lead person becomes visible in the assigned

• open word file in zoho writer desktop version

  "How can I open a Microsoft Word (.doc or .docx) file in Zoho Writer if I only have the file saved on my computer and Zoho Writer doesn't appear as an option when I try 'Open with'? Is there a way to directly open the .doc file in Zoho Writer?"

• I want to transfer the project created in this account to another account

  Dear Sir I want to transfer the project created in one account to another account

• Inactive User Auto Response

  We use Zoho One, and we have a couple employees that are no longer with us, but people are still attempting to email them. I'd like an autoresponder to let them no the person is no longer here, and how they can reach us going forward. I saw a similar

• Weekly Tips : Customize your Compose for a smoother workflow

  You are someone who sends a lot of emails, but half the sections in the composer just get in your way — like fields you never use or sections that clutter the space. You find yourself always hunting for the same few formatting tools, and the layout just

• Next Page