Hello everyone!
Welcome back to yet another post in the Kaizen series.
This week, we will discuss the usage of tokens in authorizations and their limitations.
Tokens in OAuth 2.0
Zoho CRM employs the OAuth 2.0 authorization model to authorize its API requests. Grant token, access token, and refresh token are the three major components that play an important role in the authorization process. Initially, the user needs to register a client with Zoho CRM. After registration, the user can generate grant tokens depending on the operation they plan to perform.
The grant token then assists in generating the access and refresh tokens. The access token is passed as a bearer token in every API request made. An access token is valid only for 3600 seconds or 60 mins. Once the access token expires, a new access token can be generated using the refresh token.
Figure - OAuth 2.0 Overview
Token Limits
An important aspect of tokens is that they hold a limit over the number of tokens that can be generated in a given period, and the number of active tokens at a given time. Let us discuss some major limitations concerning the tokens.
Token Name
| Number of tokens per 10 minutes
| Maximum number of concurrent active tokens
| Note
|
Grant Token
| 10
| -
| -
|
Access Token
| 10 per refresh token
| 15
| Creation of the 16th token deletes the first.
|
Refresh Token
| 10 per user per client
| 20
| Creation of 21th token deletes the first. The access token created from the first refresh token gets deleted as well.
|
What if you exceed the allowed limit?
The status code for the requests that are made after exceeding the allowed limit remains 200. However, the message for such requests says "Access Denied", thus restricting any further token generation.