Hi everyone!

Welcome back to another week of Kaizen! 

In this post, we will shed some light on the OAuth2.0 protocol and how you can use Zoho's Self Client option to authenticate your application and generate the tokens.

What is OAuth2.0?

OAuth 2.0 is an industry standard protocol specification that enables third-party applications (clients) to gain delegated access to protected resources in Zoho via an API.

Why should we use OAuth2.0?

• Clients are not required to support password authentication or store user credentials.
  
• Clients gain delegated access, i.e., access only to resources authenticated by the user.
  
• Users can revoke client's delegated access anytime.
  
• OAuth access tokens expire after a set time. If the client faces a security breach, user data will be compromised only until the access token is valid.
  

To use the Zoho CRM APIs, you must authenticate the application to make API calls on your behalf with an access token.

The access token, in return, must be obtained from a grant token (authorization code).

Zoho CRM APIs use the authorization code grant type to provide access to protected resources.

In this type,

1. The web application redirects the user to the OAuth server.
   
2. The user sees the authorization prompt and approves the app's request as shown in the below image.
   
   
   
3. The user is redirected back to the application with an authorization code in the query string.
   
   
   
4. The application exchanges the authorization code for an access token.
   

As you can see, this involves user intervention while authorizing your application.

When should you use Self Client?

If your application is a stand-alone application that performs only back-end jobs like data-sync(without any manual intervention), you cannot use this authorization code flow. 

In the below example image, the data sync happens between Zoho CRM and your legacy Product Management system. So, it is perfect to use the Self Client option as it does not need an UI for this type of application. Using this flow, you can generate the grant token, access, and refresh tokens.

How to use Self Client?

1. Go to Zoho Developer Console and log in with your Zoho CRM username and password.

2. Choose Self Client from the list of client types.

3. Click Create on the Create New Client page and click OK in the pop up to enable a self client for your account.

4. Now, your client ID and secret is displayed under the Client Secret tab.

5. Click the Generate Code tab to generate the Grant token.

The grant token is a temporary token generated by the authorization server (Zoho CRM, here) to generate access and refresh tokens.

Before generating the grant token, you must decide the scope you need. Scope decide the level of access a client can have to a resource.
Refer to our list of scopes, for more details.

a. Click the Generate Code tab and enter the required scope separated by commas.

b. Select the Time Duration for which the grant token is valid. Please note that after this time, the grant token expires.

c. Enter a description and click Generate.

d. The generated code for the specified scope is displayed. Copy the grant token.

e. Please note that generating grant token is a one-time process, provided you generate the access and refresh tokens within the time the grant token is valid for.

a. Open Postman.

b. Make a POST request with the following URL.

"{{accounts-domain}}/oauth/v2/token"

{{accounts-domain}} is the domain-specific URL in which you registered your client.

c. Pass the below keys and their values in the body of the request.

d. Hit Send. The access and refresh tokens are displayed in the response.

 e. The access token is valid for an hour from generation. 

 f. The refresh token does not expire. You can use this to refresh your access token when they expire.