Kaizen #168 - Incremental Authorization
Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization.
What is Incremental Authorization?
Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
- Users are not overloaded with scopes in the initial stage
- Users can control the amount of data they share
Who can use Incremental Authorization?
Server-based applications can make use of incremental authorization
Incremental Authorization Flow
Incremental Authorization FlowWhen a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:
Initiation Request (Step 1: Get Scope Enhancement Token )
The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.
Scope Enhancement Request (Step 2)
After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.
User Consent
The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.
Success Response
Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.
When is Incremental Authorization Useful?
Let us take a look at two scenarios where incremental authorization is particularly useful.
Scenario 1
Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM. Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data.
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token.
Scenario 2
Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API. You can make use of incremental authorization to append the required scope to the same refresh token in these cases.
How can you use Incremental Authorization?
Step 1: Initiation Request
First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.
Request format
POST {accounts-url}/oauth/v2/token/scopeenhance ?grant_type=update_scopes_token &client_id={client_id} &client_secret={client_secret} &refresh_token={refresh_token} |
The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters
You should send the initiation request with the below parameters. All parameters are mandatory
- grant_type: Specify the value as "update_scopes_token".
- client_id: Specify the client-id obtained from the API console.
- client_secret: Specify client-secret obtained from the API console.
- refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{ "access_token": "{scope_enhancement_token}", "token_type": "update_scope", "expires_in": 600 } |
The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.
Step 2: Scope enhancement request
This request appends the refresh token with additional scopes.
Request format
GET {accounts-url}/oauth/v2/token/addextrascope ?response_type=update_scopes &client_id={client_id} &redirect_uri={redirect_uri} &scope={required_scopes} &enhance_token={scope_enhancement_token} &logout=true |
Parameters
- response_type: Specify the value as "update_scopes".
- client_id: Specify the client-id obtained from the API console.
- redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
- scope: Specify the scopes of the additional resources for which access is required.
- enhance_token: Scope enhancement token received in the response of the previous initiation request.
- logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response. The user will be redirected to the redirect_uri with params error as access_denied.
You will receive a response in the below formats:
Success Response
{redirect_uri}?status=success&scope_enhanced=true |
Failure Response
{redirect_uri}?error=access_denied |
We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!
Previous Kaizen: Kaizen #167 - Configuration and Initialization of Zoho CRM Python SDK (V7) for different client types |
Kaizen Collection: Directory | Help document link: Incremental Authorization
Access your files securely from anywhere
Centralize Knowledge. Transform Learning.
All-in-one knowledge management and training platform for your employees and customers.
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Mable Mary M P
Sticky Posts
Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #226: Using ZRC in Client Script
Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In thisKaizen #222 - Client Script Support for Notes Related List
Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore howKaizen #217 - Actions APIs : Tasks
Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.Kaizen #216 - Actions APIs : Email Notifications
Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Project Management Bulletin: December, 2025
The holiday cheer is in the air and it’s time to reflect on the year that was. At Zoho PM Suite, we've been working behind the scenes on something huge and exciting all year and now we are almost ready—with just a bit of confetti—for our grand releaseInventory batch details
Hi there, I'm trying to get the batch details of an item, here's what I've done so far. I've sent cUrl request to the below endpoint and I get a successful response. Within in the response I find the "warehouses" property which correctly lists all theAuto check out after shift complete
i'm just stuck here right now, i wanna know how to do this thing, now tell me, how can i configure a custom function that runs after complete shift time if employee forget to check-out ?How to create a flow that creates tickets automaticaly everyday based on specific times
Hi guys Does anyone know how to create a flow that will create tickets automaticaly in ZOHO Desk when a certain time is reached. Im havin a hard time configuring a flow that will create tickets automaticaly everyday during specific hours of the day ForZOHO FLOW - ZOHO CREATOR - ZOHO WRITER : Get Related records
Bonjour, J'ai besoin que vous m'ajoutiez la solution "Get related Records" dans la liste de choix de zoho creator (sous Zoho flow). En effet, j'ai besoin de récupérer les champs d'un sous formulaire pour l'ajouter à l'impression de mon document. MerWill zoho thrive be integrated with Zoho Books?
titleConnecting email for each department in ZohoDesk
Hi! Could someone help me to go through connecting emails for each department?How do I trigger a Flow based on a campaign response?
Is there a way to trgiider a Zoho Flow based upon a lead opening an email sent via Zoho Campaigns? I see that the data is recorded in the 'Campaigns' section of Zoho CRM under 'Member Status' and I want to trgigger a flow based upon that record changing.All Zoho Flows are filtered
My two flows operate perfectly when I run them as a test, but when they're activated each run ends with a status of neither success, nor fail, but filtered. I haven't set up any filters. I don't see where to turn off filters. When I test run on a sequenceCreating Multiple Items on Sales Order
Hi, I’m trying to automate some processes using Zoho Flow, specifically the creation of sales orders in my Zoho Inventory. However, Zoho Flow's Create Sales Order function can only add one item. I would like to include multiple items in a single salesProblem Connection from Zoho Flow and Gravity Form
I obtained my API key from Gravity Forms via WordPress. However, when I enter my Zoho Flow, it states: Gravity Forms says, 'You are not authorised to access the API." I tried recreating a new API key, but it is still not working.Eventbrite Email Field in Zoho Flow Returns "Info Requested" Instead of Actual Email
Hi Zoho team, I'm using Zoho Flow to connect Eventbrite with Zoho CRM. My goal is to automatically add event attendees as leads in Zoho CRM. I’ve set up the flow and mapped the ${trigger.profile_email}} field to the Email field in CRM. However, I'm running"Invalid value passed for Product ID" Error in Zoho Flow "Create Sales Order" Node
Hello Zoho Community, I’m facing an issue with Zoho Flow while trying to create a sales order in Zoho Inventory using the "Create Sales Order" node. Here’s a detailed explanation of my setup and the problem: What I’m Trying to Achieve I’m building anAssociating Project with an Account via Flow
I'm using flow to create a Project based on a Deal status update using flow. The fields exist to pass the Account Name through properly, but when you view the Projects module in a CRM Account Record it doesn't automatically associate the new Project RecordHow to follow up a member in a meeting?
Hello, I make weekly meeting online with a lot of people. I want(I've been using calendly to do it). I want to do a follow-up to it. I want to send messages via Zoho-flow to all the member that participated in the meeting. How can I do it?Setting Delays in Invoice Reminder Flow
I am currently working on a flow that sends reminders for unpaid invoices. The flow is designed to delay actions until specific intervals before the due date: A reminder should be sent 7 days before the due date. A second reminder should be sent 3 daysGet Sales Orders Related to Inventory Item
Dear Team, I'm just wondering if there is a way to get a list of all Sales Orders related to a specific Inventory Item. I did search all articles but couldn't find any article that could help.Endpoint Central Cloud Asset Update from Fresh Service
All, Does anyone use the asset management feature in Fresh Service? I'd like some help on building a flow to update asset attributes in Endpoint Central Cloud based off of an update to that same asset in Fresh Service. The trigger is "asset is updated"Zoho Flow Export to Deluge
It would be great to take a user built zoho flow and export the entire flow as a deluge script including having multiple connected applications (showing the API connections and webhooks) and different functionality in the other applications interactingAction Iteration/Loop using Zoho Flow
Trying to use Zoho Flow for automating following Context - A zoho form entry which has image upload field with upto 5 images setting and files are saved into Workdrive. After form is submitted need to create folder based on some fields and move filesZoho Flow - Unable to evaluate formatDate with Zoho Invoice Date Field for Calendar Integration
Hello Community, I'm trying to automate the creation of all-day events in Zoho Calendar whenever a new invoice is created in Zoho Invoice. I'm using Zoho Flow for this automation. My Goal: When an invoice is created with a specific "Event Date," I wantZoho Inventory Sales Order Items
I'm trying to build automation using Zoho Flow to add items to a Sales Order. In the automation options for both "create sales order" and "update sales order", The item ID is required. However, when I update the Sales Order, it's just replacing the itemPermissions for Azure Devops connection
I am trying to set up a connection with our Azure DevOps org but it keeps giving me this error. On Azure I should be able to have admin-level access to everything. Can you please point me to which permission this is checking for so I can enable it?My IMAP mail suddenly stopped working
On my iPhone and iPad, IMAP stopped working for my Zoho account with the error "User name or password incorrect" and "Invalid credentials failure" however I was able to access via web with the same credentials. Also stopped working on Apple Mail client.Confused by the distiction between matched and categorized when reconciling a bank statement an how to
I used to use quickbooks. In quickbooks, it was possible to use the check writing feature to add an expense that was on the bank statement that did not go through the AP and check writing process. I would write a check, assign it a number like etf (forNot Receiving OTP • https://voters.eci.gov.in/home/family
Hello Customer, Greetings from Zoho Mail. Upon a detailed review of our delivery logs, we can confirm that other Zoho Mail users are successfully receiving OTP emails from eci.gov.in. However, in your specific case, it appears that the OTP emails areWorkDrive for Excel Add on
Dear Sir/Madam Have installed Workdrive for Microsoft add on But unable to view the same added in ExcelSplitting Transactions in Zoho Books
I have read in past forum posts that the ability to split bank transactions would likely be implemented - it's definitely a typical accounting program feature. I'm new to Zoho and thought I'd found nirvana until I realized this feature doesn't seem toZoho Calendar s’enrichit avec une intégration à Zoho People et Zoho Cliq
Les journées de travail ne se déroulent jamais exactement comme prévu. Une conversation informelle devient une séance d’échange d'idées, une absence modifie un planning, et votre agenda se retrouve vite décalé par rapport à la réalité. Chez Zoho Calendar,Holidays
Hi; For defining Holidays, you need to add logic to handle the year as well as the month & day. We need to be able to enter Holidays for the next year. I need to add a holiday for January 2, 2017, but I can't until January 1st, which is a Sunday and weZoho public comments are confusing and unnecessary
Hi, we use zoho desk and have issues with public comments. We started using them because the "Reply" option just seemed very clumsy because of the following reasons: - the top "Reply" button starts what seems to be a regular email, showing the entireZoho API - ticket creation - Validation failed for the condition : Ticket Status Info should not be empty
Hi ! I'm trying to create ticket through Zoho API, and I'm getting a 422 response : "Validation failed for the condition : Ticket Status Info should not be empty" My request looks like this : curl --location 'https://desk.zoho.eu/api/v1/tickets' \ --headerDeleting unwanted ticket replies
Hello, In a Zoho Desk Ticket thread, sometimes one of the recipients has auto-reply activated. This creates a new message in the Ticket thread that not only pollutes the thread, but most importantly cannot be replied properly because usually auto-reply e-mails don't do "reply all", so the other recipients are not included. I want to delete such a message in the Ticket thread. I searched the help of Zoho Desk, but only found a way to mark as Spam (https://help.zoho.com/portal/kb/articles/marking-support-tickets-as-spam)System-generated support email added in CC on “Reply All”
Hi, I recently set up Zoho Desk for a client and we are trying to prevent the Zoho Desk system-generated support email address (not the mailbox used as the department’s "From address") from being automatically added in CC when agents use “Reply All” onConvenience Fees
I use Zoho Invoice for invoicing my billboard customers. I have a few customers that want to pay using credit cards and ACH. As a result, I have integrated an Online Payment Gateway (Stripe) for these customers. I currently charge these customers a "Convenience Fee" of 3% for using this service as I typically only take checks as payment (and the gateway charges 2.9% + $0.30 per transaction). I do this by creating a separate line item on the invoice and adding 3% to it. I would like to offerHTML Tags added to Reports with Notes
Recently Zoho added the ability to markup text within notes. That way, users can change font size, colors, etc. It's a great change. However, since the change, reports that include a column for "Note Content" are printing HTML tags within the report.Restrict Payment Methods
Allow us to restrict certain payment methods specific for each customer.Emails Getting Delay Error Messages - Status: 451
Hi. Hoping someone can help. I've been using Zoho for over a year now with no problems at all. Today, the majority of my emails I send out or reply to are getting this error: This message was created automatically by mail delivery system. THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. The original message was received at Sun, 22 Dec 2019 18:20:19 -0800 from wazza@amninjas.com [wazza@amninjas.com] ----- The following addresses had fatal errors ----- [Status: ERROR, Address:Add Domain
Hello Zoho Support, My Zoho Sites project accidentally auto-added domains with http:// prefix and duplicated domain entries. Current domains list shows: http://www.kinhtethethao.com.vn (Primary – cannot be removed) http://www.kinhtethethao.com.vn (verificationKaizen #221: Workflow & Actions Reports APIs
Over the last few weeks, we have joined Zylker Cloud Services as they restructured their automation ecosystem using Workflow APIs and Actions APIs. Along the way, we discovered how to audit workflows, update old rules, create new ones, and manage associatedNext Page