Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Sticky Posts

    • Kaizen #198: Using Client Script for Custom Validation in Blueprint

      Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

    • Kaizen #226: Using ZRC in Client Script

      Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

    • Kaizen #222 - Client Script Support for Notes Related List

      Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

    • Kaizen #217 - Actions APIs : Tasks

      Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

    • Kaizen #216 - Actions APIs : Email Notifications

      Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

    • Recent Topics

    • Introducing WhatsApp integration and quick editing capabilities in Zoho Sign

      Hi there, Zoho Sign already helps users collect signatures via email and SMS, and we're happy to announce that you can now send documents and authenticate recipients right through WhatsApp. Some of the key benefits include: Communication with recipients

    • Dynamic Field Folders in OneDrive

      Hi, With the 2 options today we have either a Dynamic Parent Folder and lots of attachments all in that one folder with only the ability to set the file name (Which is also not incremented so if I upload 5 photos to one field they are all named the same

    • Logging Out of FSM

      I have tried to log out of FSM app of the last person and it will not let me do so. I need to log in to my account.

    • Enhancement in Zoho CRM: Control who gets to participate in a forecast by customizing the user hierarchy

      Include only users from the sales function; exclude the rest Dear Customers, We hope you're well! We started this year with a series of exciting enhancements to Zoho CRM and to this list, we are thrilled to add an enhancement to forecasting. Let's talk

    • Multiple Zoho One accounts

      Hello. I'm searching for a solution to run multiple organizations under 1 Zoho One account or have a different Zoho One account for each organization and still be able to easily login to each. Currently Zoho One doesn't allow the same email address to

    • Tips and tricks #63: Hold and Drag to select elements in the Show app for iOS

      Hello everyone! Welcome to another tips and tricks article. In today's article, we will learn about the Hold and Drag function in the Show app for iOS. The Hold and Drag option lets you select multiple elements on a slide quickly. Once they are selected,

    • Organize and manage PDFs with Zoho PDF Editor's dashboard

      Hello users, Zoho PDF Editor's dashboard is a one-stop place to upload, sort, share PDF files, and more. This article will explore the various capabilities that Zoho PDF Editor's dashboard offers. A few highlights of Zoho PDF Editor's dashboard: Upload

    • Possible to generate/download Quote PDF using REST API?

      See title. Is there any way after a quote has been created to export to a PDF using a specified template and then download it? Seems like something that should be doable. Is this not supported in the API v2.0?

    • Free Webinar - AI for email: Helpful or Hype?

      Hello, Zoho Mail community! 👋 We're kicking things off with a webinar you won't want to miss—and yes, we're going there: Is AI in email actually useful, or is it all hype? In this session, two of our experts will have an open, no-fluff conversation about

    • Balancing access, security, and productivity with Email Policy

      An organization typically includes multiple user groups, such as leadership, sales, and support, each with different email usage patterns and security needs. Administrators must balance flexibility and control, thereby ensuring email usage aligns with

    • Is it possible to update multiple work items at once?

      Hi, Is it possible to update the statuses/release tags of multiple work items at once? I came across this thread that says it's not possible at the moment, but it was related to the Sprints mobile app. Does this feature not exist in the website as well?

    • See Every IM Conversation as It Happens

      Instant messaging moves fast. Customers expect quick replies and smooth conversations across WhatsApp, Instagram, Facebook, and live chat. But without real-time visibility, small issues become big problems. A session stays open longer than expected. A

    • Release Notes | January 2026

      We have rolled out a set of powerful new enhancements across Zoho Vertical Studio that bring several long-awaited capabilities to your applications. These updates focus on deeper customization, smarter automation, better reporting, and improved usability

    • Product Request: Send email to Secondary email

      Guys, we should be able to send the campaign to the secondary email too.  Is this on the plans for Zoho Campaign? It looks like I can map the secondary email from the CRM to the Campaigs, but can not send the message.  

    • Franchise

      Is there a solution of how to organize global franchise organisations?

    • Recording overpayment?

      So a customer just overpaid me and how do I record this? I can't enter an amount that is higher than the invoice amount. Eg. Invoice is $195 and he sent $200. He's a reccuring customer so is there a way to record so that he has a $5 advance for future invoice?

    • Holidays

      Hi; For defining Holidays, you need to add logic to handle the year as well as the month & day. We need to be able to enter Holidays for the next year. I need to add a holiday for January 2, 2017, but I can't until January 1st, which is a Sunday and we

    • Composite Product (kit) - Dynamic Pricing

      I am setting up Composite Products for item kits that I sell. I also sell the items from the kit individually. Problem is when pricing changes on an individual part, the Composite Product price does not change meaning when the cost of item # 2 in the

    • Urgent: Slow Loading Issue on Zoho Commerce Website

      Dear Zoho Support Team, I am experiencing slow loading times on my Zoho Commerce website, which is affecting its performance and user experience. The issue persists across different devices and networks. Could you please investigate this matter and provide

    • Need help with importing expenses

      I'm using the template downloaded from the application. When I try to import my expenses, I get the message: Duplicate entry in the Expense Date column. Ensure it contains unique values. None of the rows will import. There are duplicate dates, but they

    • Search not working!

      I have items in my notebook tagged but when I search for a tag nothing comes up! Any fix for this?

    • ERROR CODE :550 - 550 5.1.1 Invalid email recipients

      This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. mustafa.ashraf@techlink-eg.net, ERROR CODE :550 - 550 5.1.1 Invalid email recipients

    • What's New in Zoho POS - February 2026

      Hello everyone, Welcome to Zoho POS’s monthly updates, where we share our latest feature updates, enhancements, events, and more. Let’s take a look at how February went. Purchase and sell items on different units We have introduced a unit conversion functionality

    • Can i integrate bigin with google voice?

       I make all my calling through google voice to seprate my personal line from business. I want to log my calls with customers automatically but i domt see anywhere where i can do that. Any help? Im pretty sure i wont be able to. Sad

    • POP/SMTP access authentication failed

      I am unable to log setup outlook for my zoho mail account. I am using these settings poppro.zoho.com port 995 SSL smtp.zoho.com port 587(tls)/465(ssl) username/password works on mail.zoho.com but not with POP access. Can you help?

    • Invoice template with sales tax totals

      Hi everyone,  I am trying to edit my invoice template so that only the total sales tax collected for my tax group shows up. Right now, under by sub total, each individual tax shows up and that takes up a lot of unnessary space, so I just want the one

    • Our Review Of Zoho CRM after 60 Days

      The purpose of this is to just share with Zoho why I love their product, but ultimately why I could not choose Zoho CRM for our next CRM. About two months ago we begun a CRM exploration process for our financial planning firm, based in Texas. We already

    • Error AS101 when adding new email alias

      Hi, I am trying to add apple@(mydomain).com The error AS101 is shown while I try to add the alias.

    • This domain is not allowed to add. Please contact support-as@zohocorp.com for further details

      I am trying to setup the free version of Zoho Mail. When I tried to add my domain, theselfreunion.com I got the error message that is the subject of this Topic. I've read your other community forum topics, and this is NOT a free domain. So what is the

    • Allow Admin to Configure Report > More Options Button

      As an Admin, I want to configure the options of the Report > More Options button to improve UX and reduce Developer overhead. See attached screenshot. Original question posted here: https://help.zoho.com/portal/en/community/topic/modify-standard-rep

    • Generate a link for Zoho Sign we can copy and use in a separate email

      Please consider adding functionality that would all a user to copy a reminder link so that we can include it in a personalized email instead of sending a Zoho reminder. Or, allow us to customize the reminder email. Use Case: We have clients we need to

    • You cannot send this campaign as there is no contact in the selected mailing list.

      We have synced contact lists and sent campaigns just fine prior to today.  Now no matter what list I upload when I go to send the campaign it gives an error "You cannot send this campaign as there is no contact in the selected mailing list." And now it

    • Pivot Report Formula - using a today() variable

      Is it possible for me to use a value of today() in a formula on a pivot table? I'm trying to identify where the end date of a project is greater than the current date if("10. Projects (Zoho Projects).End Date" > today(), 'Yes', 'No') I get the error that

    • Cannot connect IMAP to outlook

      Hello I have followed the instructions to connect my zoho account to Outlook IMAP but get this message: Session Id: bba118fb-151c-824f-9512-3ad1e91b109d Timestamp: 1708976566964 Error code: INVALIDCREDENTIALS INTERACTIONREQUIRED I'm using the exact configeration

    • Department Overview by Modified Time

      We are trying to create visuals to show the work our agents do in Zoho Desk. Using Zoho Analytics how can we create a Department Overview per modified time and not ticket created time? In order for us to get an accurate view of the work our agents are

    • Enhance Sign CRM integration

      Hello all, I'm working on a custom Deluge script to enhance the integration between Zoho CRM and Sign by using a writer merge template for additional flexibility. I want to replicate the post-sign document integration that exists between CRM and Sign

    • Zoho Workdrive download was block by security software

      Hi Team, Recently workdrive download was blocked by huorong security. Could you please advise how to put zoho workdrive as white list? every time we put "*.zohoexternal.com" or "workdrive.zohoexternal.com", the warning msg will still pop in next dow

    • Choosing a portal option and the "Unified customer portal"?

      I am trialling Zoho to replace various existing systems, one of which is a customer portal. Our portal allows clients to add and edit bookings, complete forms, manage their subscriptions and edit some CRM info. I am trying to understand how I might best

    • General feedback

      I think Zoho is at the moment (potentially) the best, or perhaps the only, real online solution, for business, and not just business. Surely the only one that has all the features that I need (and I've probably tried everything, at least all that has a cost-free option). It has still got lots of bugs and imperfect features, so I do hope it keeps developing and becomes a really professional platform. Lots of people (including me) want to use such one platform for all scheduling/mail/note-taking...

    • How to add SSL to Short URL custom domain?

      Hi, I've added a custom domain the the URL Shortener Domains. It's creating the short URL fine, but when clicking through, firstly I get an SSL warning, then a 400 Bad Request warning.

    • Next Page