Kaizen #168 - Incremental Authorization
Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization.
What is Incremental Authorization?
Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
- Users are not overloaded with scopes in the initial stage
- Users can control the amount of data they share
Who can use Incremental Authorization?
Server-based applications can make use of incremental authorization
Incremental Authorization Flow
Incremental Authorization FlowWhen a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:
Initiation Request (Step 1: Get Scope Enhancement Token )
The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.
Scope Enhancement Request (Step 2)
After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.
User Consent
The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.
Success Response
Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.
When is Incremental Authorization Useful?
Let us take a look at two scenarios where incremental authorization is particularly useful.
Scenario 1
Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM. Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data.
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token.
Scenario 2
Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API. You can make use of incremental authorization to append the required scope to the same refresh token in these cases.
How can you use Incremental Authorization?
Step 1: Initiation Request
First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.
Request format
POST {accounts-url}/oauth/v2/token/scopeenhance ?grant_type=update_scopes_token &client_id={client_id} &client_secret={client_secret} &refresh_token={refresh_token} |
The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters
You should send the initiation request with the below parameters. All parameters are mandatory
- grant_type: Specify the value as "update_scopes_token".
- client_id: Specify the client-id obtained from the API console.
- client_secret: Specify client-secret obtained from the API console.
- refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{ "access_token": "{scope_enhancement_token}", "token_type": "update_scope", "expires_in": 600 } |
The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.
Step 2: Scope enhancement request
This request appends the refresh token with additional scopes.
Request format
GET {accounts-url}/oauth/v2/token/addextrascope ?response_type=update_scopes &client_id={client_id} &redirect_uri={redirect_uri} &scope={required_scopes} &enhance_token={scope_enhancement_token} &logout=true |
Parameters
- response_type: Specify the value as "update_scopes".
- client_id: Specify the client-id obtained from the API console.
- redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
- scope: Specify the scopes of the additional resources for which access is required.
- enhance_token: Scope enhancement token received in the response of the previous initiation request.
- logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response. The user will be redirected to the redirect_uri with params error as access_denied.
You will receive a response in the below formats:
Success Response
{redirect_uri}?status=success&scope_enhanced=true |
Failure Response
{redirect_uri}?error=access_denied |
We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!
Previous Kaizen: Kaizen #167 - Configuration and Initialization of Zoho CRM Python SDK (V7) for different client types |
Kaizen Collection: Directory | Help document link: Incremental Authorization
Access your files securely from anywhere
Centralize Knowledge. Transform Learning.
All-in-one knowledge management and training platform for your employees and customers.
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Mable Mary M P
Sticky Posts
Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #226: Using ZRC in Client Script
Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In thisKaizen #222 - Client Script Support for Notes Related List
Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore howKaizen #217 - Actions APIs : Tasks
Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.Kaizen #216 - Actions APIs : Email Notifications
Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Auto-approval for shared key access not working for new users
Hello, I'm an admin of a Zoho Vault organization (34 active users, ZOHO identity provider). I have the "Auto-approval for shared key access" setting enabled in Settings → Fine-Grained Controls → Global, but it does not work as expected. The problem: WhenZoho Analytics UI Bug
Hello, all, The Aggregate Formulas in Zoho Analytics' list of fields have a 3-dot menu: If the formula has a long name, the name is not fully visible in the list, and a 3-dot menu is not accessible from it: This is not convenient, especially when theCanvases Auto-Skewing/Adding Scroll Bars When They Were Not There Prior
Is anyone else noticing rendering issues in their canvases today? It seems to be mainly icons which now have scroll bars added which makes them all look off, though some fields seemed to revert to squished length as well. Were the icons replaced withAbility to Use Both AND and OR When Creating Rules (Advanced Conditions)
I'd like to be able to use more complicated logic when setting up rules. E.g. in Zoho Mail, I can choose "Advanced conditions (AND/OR) to create a rule that can be applied to multiple subject lines from the same sender. But in Zoho TeamInbox, I will haveMarketing Tip #37: Reduce purchase doubts with better product images
When customers shop online, they cannot pick up, turn around, or inspect a product in person. That is why your product images need to do more of the selling. Two simple upgrades can make a big difference: Use zoom-friendly images so customers can lookWhy don't Zia agents support file uploads?
I am trying to build a Zia Agent that allows uploading of a PDF file and uses the GLM5 model to process it and extract information. But agents.zoho.com has no way to enable file uploads on the agent. Additionally, GLM5 based agents keep outputting theirZia Agent built in ChatKit UI does not render markdown
Hi, You have a major shortcoming in the Zia Agent UI. The test UI that is embedded in agents.zoho.com allows you to test the agent has full support for rendering markdown, but your ChatKit UI does not have support for rendering markdown. If I embed itHow to use Zoho Billing info in a workflow
We have Zoho Billing and CRM sync'd and the Billing info appears as expected for each Account in Zoho CRM, including subscription status, plan type etc. But how can we use this in a workflow? Thanks DylanZoho Forms - Failed CRM Sync Improvement
I'd like to suggest an enhancement to the Zoho Forms and Zoho CRM integration. Currently, once a form entry has been submitted, there is no simple way to push that individual entry to CRM again if needed. Before anyone mentions it, I am aware that theWill I see emails sent via campaigns in CRM?
It would be useful for people to be able to see emails sent via campagins in Zoho CRM is that possible?Cliq iOS can't see shared screen
Hello, I had this morning a video call with a colleague. She is using Cliq Desktop MacOS and wanted to share her screen with me. I'm on iPad. I noticed, while she shared her screen, I could only see her video, but not the shared screen... Does Cliq iOS is able to display shared screen, or is it somewhere else to be found ? RegardsZoho Books | Product updates | June 2026
Hello users, Welcome to this month's roundup of what's new in Zoho Books! We have an exciting line-up this time. The highlight is the launch of the all-new France Edition with full ISCA compliance. We're also introducing features such as Layout RulesWhat is MCP and How Does It Connect to Zoho Invoice?
If you've ever wished you could just tell your invoicing software what to do, without clicking through menus, pulling up reports manually, or switching tabs every five minutes, that's exactly what the Zoho MCP server is built for. MCP stands for ModelAdd spaces to input format
In Zoho Inovices, I am trying to do a custom input format for a custom field. I have tried a few variations, but this is my most recent: ^[a-z][A-Z][0-9][,][-][_][:][ ]$ In this field, I will be entering different alphanumeric information, depending onEnhancement in Zoho CRM: Introducing New Return Types for String Fields Based on Character Length
Dear Customers, We hope you’re well! In Zoho CRM, formula field with string return type is used in various scenarios where text is involved like concatenating customers’ first and last names, trimming characters from texts, performing find and replaceGLM 5 not available
Hello, I am trying to setup a Zia Agent using agents.zoho.com. The settings says that GLM5 is among the list of free zoho hosted models available. However, when I try to setup an agent and pick a model from the list only GLM 4.7 Flash is available. HowSupervisor Rules --> Custom Function
Hello, currently I can't add a custom function to a supervise rule. Is there a reason for this? Background: We have BluePrint managed tickets and actually we have a Supervise rule which should set the ticket to "closed" after 168 hours since the lastVault Chrome Extension Asks for Master Password every single time
Is this supposed to be a feature, or is this a bug? My assumption is that it's a bug, because every time I click on the Extension, there is a red exclamation mark/notification on the Zoho Vault extension. Is the idea with the Extension that I have toWhat's New in Zoho Inventory | April & May 2026
Hello users, We're excited to roll out the latest Zoho Inventory updates for April and May 2026. These enhancements are designed to make your daily operations smoother and more efficient, from advanced inventory management and flexible pricing to automatedHow to display Pick List values with vertical separation in Canvas
I have a Multi-Select Pick List whose values I would like displayed vertically. So far, I have only been able to figure out how to adjust the width and other sizing of the field itself or even how to wrap the values to the next line below. I am trying"Make online" not clearing previously downloaded files from disk
I downloaded a large folder via "Make offline" so I could copy it to another location. This worked. When I was done I hoped that "Make online" would restore it to the previous state where those files are not stored locally in TrueSync. This did not work—FinderPermission Denied for Worklogs URL
We're attempting to pull worklogs data from service desk plus and when using the below URL we are met with a message stating we do not have permission. https://sdpondemand.manageengine.com/api/v3/requests/xxxxxx/worklogs/ We used SDPOnDemand.requests.ALLAnyone in Australia using Zoho Books AND has their account with NAB?
Hi I have an account with both NAB and Suncorp. Suncorp transaction come in the next day however NAB transactions take 4-5 business days to appear. eg: A deposit made today in my Suncorp will be imported into Zoho tomorrow. A deposit made today to the NAB account will be imported maybe Saturday (Friday overnight). I have contacted both Zoho and NAB but noone seems to know why. I was just wondering if anyone else in Australia uses NAB and has this issue (or doesn't) maybe we could compare notes andPlease Make Zoho CRM Cadences Flexible: Allow Inserting and Reordering Follow-Up Steps
Sales processes are not static. We test, learn, and adapt as customers respond differently than expected. Right now, Zoho Cadences do not support inserting a new step between existing follow-ups or changing the type of an existing primary step. If I realizePartner with HDFC And Sbi Bank.
Hdfc and sbi both are very popular bank if zoho books become partner with this banks then many of the zoho books users will benefit premium features of partnered banks.#12 Never Leave a Billable Hour Behind
A client approves a website redesign project. The estimated effort? 40 hours. The project is going well. A few additional review meetings are scheduled. Several rounds of content changes are requested. A few "quick fixes" get added along the way. TheClose task on Completion Date entry
This discussion is similar to my issue: "backdated-task-completion-date" discussion Scenario: A bunch of tasks have been completed. But, they have not been closed. Time goes by You finally get around to closing those tasks Projects assigns the date theCan I add Conditional merge tags on my Templates?
Hi I was wondering if I can use Conditional Mail Merge tags inside my Email templates/Quotes etc within the CRM? In spanish and in our business we use gender and academic degree salutations , ie: Dr., Dra., Sr., Srta., so the beginning of an email / letterRecords from ATE 29: Knowledge Base, Community, and AI for smarter user education
Hi Everyone, "Ask the Experts 29" was an engaging session, where we explored how to utilize the Knowledge Base for customers and internal teams, as well as emphasizing the importance of our Community. This post highlights the questions and use cases discussed,Deleted User Emails
I need to delete a user as I need to re-use their license, but I'd like to keep all their emails that are attached to various contacts in the CRM. Their emails are hosted externally on an M365 license. Anyone any idea how best to engineer this? TIAIts 2022, can our customers log into CRM on their mobiles? Zoho Response: Maybe Later
I am a long time Zoho CRM user. I have just started using the client portal feature. On the plus side I have found it very fast and very easy (for someone used to the CRM config) to set up a subset of module views that make a potentially extremely usefulZoho CRM upload files error
Since today, we have been experiencing issues with uploading photos to opportunities. The message indicates that the storage is full, but as far as I can see, there is still plenty of space available. Could there be an issue or a bug?Kaizen #246 - Incoming Lead Email Intent Detection using Zia Assistant API in Zoho CRM
Hello all! Welcome back to a fresh Kaizen week. In this post, we will explore how Zia detects positive intent from incoming emails in the Leads module using the Zia Assistant API along with Workflow Rules and Custom Functions in Zoho CRM. Use Case ProblemSmart URL Determination
I would like to see Vault implement some sort of "smart" URL determination. When one starts to add a new username-password combination from a new site, Vault brings in the exact URL of the page from which this is happening. All too often, it looks somethingRemoving To or CC Addresses from Desk Ticket
I was hoping i could find a way to remove unnecessary email addresses from tickets submitted via email. For example, a customer may email the support address AND others who are in the helpdesk notification group, in either the TO or CC address. This resultsTip #76- Exploring Technician Console: Quick Launch- 'Insider Insights'
Hello Zoho Assist Community! Welcome back to our Technician Console series. Last time we explored Power Options, and this time we are turning the spotlight on a feature that quietly saves you dozens of clicks in every session by getting you exactly whereMulti-Book Accounting Support in Zoho Books
Currently, businesses that operate multiple entities, regions, or divisions need to maintain separate Zoho Books instances or resort to manual consolidation processes. This creates significant operational friction and increases the risk of errors. PROBLEM:Automated Multi-Subsidiary Consolidation Engine in Zoho Books
For organizations managing multiple subsidiaries across different geographies or business units, consolidation is a quarterly/annual nightmare. Zoho Books lacks native consolidation tools, forcing companies to export data, manipulate it in Excel, andZoho Books | Product updates | April 2026
Hello users, Welcome to our April 2026 product updates roundup! Highlights include profit margin for sales transactions, insights in reports, recording deposits from undeposited funds in banking, and faster production workflows with improved assemblyUnable to charge GST on shipping/packing & Forwarding charges in INDIA
Currently, tax rates only apply to items. It does not apply tax to any shipping or packing & forwarding charges that may be on the order as well. However, these charges are taxable under GST in India. Please add the ability to apply tax to these charges.Next Page