Kaizen #168 - Incremental Authorization
Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization.
What is Incremental Authorization?
Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
- Users are not overloaded with scopes in the initial stage
- Users can control the amount of data they share
Who can use Incremental Authorization?
Server-based applications can make use of incremental authorization
Incremental Authorization Flow
Incremental Authorization FlowWhen a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:
Initiation Request (Step 1: Get Scope Enhancement Token )
The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.
Scope Enhancement Request (Step 2)
After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.
User Consent
The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.
Success Response
Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.
When is Incremental Authorization Useful?
Let us take a look at two scenarios where incremental authorization is particularly useful.
Scenario 1
Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM. Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data.
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token.
Scenario 2
Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API. You can make use of incremental authorization to append the required scope to the same refresh token in these cases.
How can you use Incremental Authorization?
Step 1: Initiation Request
First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.
Request format
POST {accounts-url}/oauth/v2/token/scopeenhance ?grant_type=update_scopes_token &client_id={client_id} &client_secret={client_secret} &refresh_token={refresh_token} |
The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters
You should send the initiation request with the below parameters. All parameters are mandatory
- grant_type: Specify the value as "update_scopes_token".
- client_id: Specify the client-id obtained from the API console.
- client_secret: Specify client-secret obtained from the API console.
- refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{ "access_token": "{scope_enhancement_token}", "token_type": "update_scope", "expires_in": 600 } |
The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.
Step 2: Scope enhancement request
This request appends the refresh token with additional scopes.
Request format
GET {accounts-url}/oauth/v2/token/addextrascope ?response_type=update_scopes &client_id={client_id} &redirect_uri={redirect_uri} &scope={required_scopes} &enhance_token={scope_enhancement_token} &logout=true |
Parameters
- response_type: Specify the value as "update_scopes".
- client_id: Specify the client-id obtained from the API console.
- redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
- scope: Specify the scopes of the additional resources for which access is required.
- enhance_token: Scope enhancement token received in the response of the previous initiation request.
- logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response. The user will be redirected to the redirect_uri with params error as access_denied.
You will receive a response in the below formats:
Success Response
{redirect_uri}?status=success&scope_enhanced=true |
Failure Response
{redirect_uri}?error=access_denied |
We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!
Previous Kaizen: Kaizen #167 - Configuration and Initialization of Zoho CRM Python SDK (V7) for different client types |
Kaizen Collection: Directory | Help document link: Incremental Authorization
Access your files securely from anywhere
Centralize Knowledge. Transform Learning.
All-in-one knowledge management and training platform for your employees and customers.
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Mable Mary M P
Sticky Posts
Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #226: Using ZRC in Client Script
Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In thisKaizen #222 - Client Script Support for Notes Related List
Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore howKaizen #217 - Actions APIs : Tasks
Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.Kaizen #216 - Actions APIs : Email Notifications
Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Need a Universal Search Option in Zohobooks
Hello Zoho, Need a Universal Search Option in Zohobooks to search across all transactions in our books of accounts. Please do the needful ThanksThis version of app doesn't support this notecard type Error
So this problem is happening for any notes created within the last week, as well as any note recently edited on Android. I can open them on my phone fine, but they don't open on the website version. They DO work on the desktop app version. It's just webOrdering of Teams
Hi there, Currently, we cannot order Teams in Zoho Desk. Teams are ordered as they were created. It would be really helpful if we could customise the order of Teams. For example: We have the following Teams: Shipping Customer Service Sales ComplianceHow to change the format for phone numbers?
Mobile phone numbers are currently formatted (###) ###-####. How can I change this to a more appropriate forms for Australia being either #### ### ### or (#)### ### ###?Zoho Mail Android app update: UI revamp
Hello everyone! We are excited to share that the first phase of the Zoho Mail Android UI revamp is now live. In this update, we have redesigned navigation bar at the bottom to quickly access the Email, Calendar, Contacts, and Settings modules. Also, theAdd Support for Authenticator App MFA in Zoho Desk Help Center
Hello Zoho Desk Team, We hope you are doing well. We would like to request an enhancement related to security for the Zoho Desk Help Center (customer portal). Currently, the Help Center supports MFA for portal users via SAML, JWT, SMS authentication,All new Address Field in Zoho CRM: maintain structured and accurate address inputs
Availability Update: 29 September 2025: It's currently available for all new sign-ups and for existing Zoho CRM orgs which are in the Professional edition exclusively for IN DC users. 2 March 2026: Available to users in all DCs except US and EU DC. 24PDF's Give Unsupported Type Error Message
Many of the pdf files I add to Notebook work fine but in some cases when I try to open them on the Android App I get a message saying "Unsupported Type. Psst! You are using an older version of the app which does not support this note format. Please updateResubscribe with Zoho Campaigns
Hi, I am new to Zoho Campaigns and sent a campaign to a contact list with only my email address. I wanted to see what the footer links did, so clicked unsubscribe and now can't include my email address into any more campaigns. I don't have a sign up form on my website to resubscribe and can't find how to resubscribe anywhere else. Can you help?Add a way to connect Log360 Cloud logs with Zoho analytics
Hi, Several month ago Log360 Cloud was added to zoho one - and this is great. But as far as I see there is no prebuilt way to connect Zoho analytics to the logs we have in Log360 Cloud. Please add a prebuilt connection like we have for so many other zohoDynamic Multi-Staff Selection for Ad-Hoc Bookings
Summary Allow customers or internal schedulers to select specific staff members at the time of booking, with Zoho Bookings automatically surfacing only the time slots where all selected members are simultaneously available. Current Behaviour Zoho BookingsRecurring event sync via Microsoft 365 Meetings
I believe syncing Recurring through the Microsoft 365 Meetings integration is already in the works but I couldn't find a reference in the community to track the progress of this work.Share Edit while in Workflow
There are times that while a writer document is in the middle of a workflow the user that's responsible for that stage of the workflow needs to bring in other people to work on the document. Currently there is no way for the user to be able to allow other'sHow can I use the API to add a drop-shipping address to a sales order for one-time use?
I need to be able to add a drop-shipping address for one-time use to a sales order via the API. Adding every such address to the contact (customer), then feeding the shippingaddress_id into the sales order, is not an acceptable approach; we have someNeed to set workflow or journey wait time (time delay) in minutes, not hours
Minimum wait time for both Campaigns workflows and Marketing Automation journeys is one hour. I need one or the other to be set to several minutes (fraction of the hour). I tried to solve this by entering a fraction but the wait time data type is an integerAuto sync Photo storage
Hello I am new to Zoho Workdrive and was wondering if the is a way of automatically syncing photos on my Android phone to my workdrive as want to move away from Google? Thankssending email with another account
Hello there, i write there for an our costumer request. They want to send email from CRM with a different email (confirmed and added to zoho profile). For example they use account@zilium.com but with this account they want to send (not only with emailMajor journey crash and not loading. Zoho Marketing Automation
Hi all. Last night (19MAR, 2026) Marketing Automation for a specific journey completely crashed, and since the crash the specific journey has failed to load at all (blank journey canvas, no journey appears, no menu accessible) but other separate journey'sIzettle or Sumup Integration for Zoho Books.
The Stripe & Square clearing works great in Zoho Books. Any further integrations planned in the future for Izettle or Sumup? These card processors are very common for taking payments with a card reader.Is anyone experience missing functions in the new UI until hard refresh?
The set of functions including search is almost always missing upon loading an app in the new UI. If you refresh, the functions return. (see second screenshot) Anyone else experiencing this?Adding Images to a Quote in Zoho CRM
We are currently preparing to use Quotes in Zoho CRM and we are building out our Quote templates. We came across an issue of not being to add Images of the products to the Quote - specifically in the body of the Quote templates. This is a problem,Mail Search should allow grouping by conversation like Gmail.
Having switched from gmail I have found the search function hard to use. Mostly because mail is not grouped by conversation in search. If I search for a word when looking for a conversation had with someone then sometimes 10 emails will come up from theServer-based Appication API access for Social, Sites, Flow, Pages.
Hello, I am trying to hook up API access for a number of apps and I have hit a wall trying to add these scopes to the API feed. We cannot find the correct way to list the scope for these Zoho apps; Social, Sites, Flow, Writer. Error on web-page comesZoho Landing Page "Something went wrong" Error
Hello, Every time I try to create a new landing page, I receive a "Something went wrong" error with no explanation. I cannot create any new pages, which means we cannot use this application. I did create one landing page successfully over a month ago,Sync desktop folders instantly with WorkDrive TrueSync (Beta)
Keeping your important files backed up and accessible has never been easier! With WorkDrive desktop app (TrueSync), you can now automatically sync specific desktop folders to WorkDrive Web, ensuring seamless, real-time updates across devices. Important:Cliq iOS can't see shared screen
Hello, I had this morning a video call with a colleague. She is using Cliq Desktop MacOS and wanted to share her screen with me. I'm on iPad. I noticed, while she shared her screen, I could only see her video, but not the shared screen... Does Cliq iOS is able to display shared screen, or is it somewhere else to be found ? RegardsZoho → ShipStation Integration – Sales Order–Driven Fulfilment Workflow
Hello All, I’m reaching out to explore the best way to integrate a shipping tool into our inventory which will speed our process up. We are looking to integrate ShipStation into our existing order-to-fulfilment workflow, as we’re keen to standardise onNewby Questions - Vendors, Customers, and Income vs. Other Income Clarifications
Q1. For Deposits, there does not seem to be an option for "Income". "Other Income" is an option however. What is the process to add the option to assign a deposit to type "Income"? Q2. In many cases Vendors and Customer are the same. Vendors may purchaseZoho Booking - TIN vs ATIN & ITIN
Zoho Booking Vendors allows for TAX ID values of SSN, EIN, ATIN an ITIN. There is no option for TIN. What is the method to properly add TIN to the list of taxable values for companies? For reference: Social Security Numbers (SSN) Individual Taxpayer IdentificationBank Feed shows redacted description numbers (xxxx)
Hi All, Is there any way to change this behaviour? Either Zoho or Yodlee is redacting important numbers from the transaction description, preventing us from being able to easily recognise and reconcile transactions. For example, a transaction with a descriptionCan I write a check in Zoho Books with no associated bill?
This currently does not seem possible, and I have a client that desperately needs this function if I am able to convert them with Quickbooks. Thank you in advance for your reply.Handling large product migrations in Zoho?
Hi everyone, How do you usually manage large product catalog migrations (10K+ SKUs) into Zoho One? Main concerns I’m thinking about: Avoiding downtime Preventing data loss Keeping supplier and product relationships intact Do you prefer bulk imports orset up an opportunity progress bar in canva
Hi, set up an opportunity progress bar in canva I need help to set to reproduce the progress bar or equivalent of the opportunity steps in canva as in standard view (see capture ) Thank you in advance AmadouReassign Partially Saved Entries
Hi, I would like to be able to go to Partially Saved Entries and like the option to delete them I would like the option to multi-select and be able to reassign them to another user to complete (Such as when a user has left the company). Thanks DanPreventing auto-redirect to Parent Record on Save...
Our users often create records from the related list on th left side of the screen. They click the blue "plus" button to create the record. This is handy, but for some modules, or situations, they would like to remain on the record AFTER clicking "Save",Introducing Version-3 APIs - Explore New APIs & Enhancements
New Update - The end of life timeline for V2 APIs has now been extended to 30th June, 2026 Happy to announce the release of Version 3 (V3) APIs with an easy to use interface, new APIs, and more examples to help you understand and access the APIs better.Correlated subqueries not supported in Zoho Analytics. This creates huge limitations
Running into a major limitation in Zoho Analytics: correlated subqueries simply don’t work, even in completely standard SQL patterns inside a JOIN. Example: LEFT JOIN "Bills" b ON d."Id" = b."Deal ID" AND EXISTS ( SELECT 1 FROM "BillUnknown table or alias 'A1'
I would like to create a subquery but i am getting the following error: Unknown table or alias 'A1' used in select query. This is the sql statement: SELECT A1.active_paying_customers, A1.active_trial_customers, A1.new_paying_signup, date(A1.date_active_customers),Feature announcement - Introducing recipient authentication via Didit in Zoho Sign
Hi everyone! Zoho Sign already integrates with trusted providers like IDology (US), eID Easy (EU), and Stripe Identity. Today, we're excited to add another powerful option: Didit. Some benefits of using Didit: Unified ID verification Streamlined eKYCCRM x WorkDrive: File storage for new CRM signups is now powered by WorkDrive
Availability Editions: All DCs: All Release plan: Released for new signups in all DCs. It will be enabled for existing users in a phased manner in the upcoming months. Help documentation: Documents in Zoho CRM Manage folders in Documents tab Manage filesNext Page