Kaizen #79 - OAuth2.0 - A Recap and FAQs
Hello everyone!
Welcome to another week of Kaizen!
Today, we will address a few frequently-asked questions about OAuth2.0 that include token generation, scopes, errors etc,.
If you have any other questions, let us know in the comment section. We will offer solutions and add them to this list.
Before we move on to common errors and their solutions, let us look at generating grant, access and refresh tokens for a client.
1. Creating a client
You must register your client on the API console to request access to users' resources. This client must handle authenticating itself to the authorization server and requesting an access token to access the users' resources.
Here is an example for creating a client for a server-based application.
2. Setting up an environment in Postman
- On the sidebar, click Environments > + icon.
- Enter a name for your environment.
- Create the following variables. We will fill in their values as we go along.
->client-id (obtained after registering the client)
->client-secret (obtained after registering the client)
->redirect-uri (given at the time of registering the client)
->accounts-url
->access-token
->refresh-token
->api-domain
->expiry-time - Select Save to save any environment variables you have added.
3. Generating the authorization code(grant token)
The authorization code flow is often used when the client is a web application running on a server. This flow uses a server-side redirect URI to receive the authorization code and adds a layer of security, rather than relying on a client-side redirect URI.
What do you need?
- client ID - obtained after registering the client.
- scopes - to get consent from the users to use their data. See the available scopes here.
- response_type - the value "code" as we are requesting for an authorization code.
- access_type - online or offline(to get a refresh token along with an access token, later).
What will you get?
- code - a one-time grant token that you will use to generate access and refresh tokens.
- accounts-server - the Zoho accounts URL that you will use to generate access and refresh tokens. This is the variable accounts-url in Postman.
- location - the API domain from which you must make API calls to access data. This is the variable api-domain in Postman.
Tip:
If you do not have an application, yet, but want to test this flow, copy-paste the following URL in your browser with valid values for the various parameters.
You will receive the grant token as a value to the key "code" in the redirect URL you specified while registering the client.
Here is a GIF of this process.
Self-client
Use this option if your application does not have a domain and a redirect URL.
You can also use this when your application is a standalone server-side application performing a back-end job like data sync.
4. Generating access and refresh tokens from the grant token
Access tokens allow the application to access user's data from the resource server. Each access token is valid for an hour, after which, you must use the refresh token to generate a new access token.
Note
Each access token is bound to the scope you specified while generating the grant token, i.e, if the scope while generating the grant token was ZohoCRM.modules.READ, you can only get data from all the modules but not update, create, or delete.
What do you need to generate access and refresh tokens?
- client_id - obtained while registering the client
- client_secret - obtained while registering the client
- redirect_uri - specified while registering the client
- code - the grant token you generated in the previous step
- grant_type - the value authorization_code
What will you get?
- access token - the token to access users' data. Valid for an hour.
- refresh token - the token to generate new access token for the same scope. Does not expire until it is revoked or till the 21st refresh token is created.
- scope - the scope for which these tokens are generated for.
- API domain - the domain to which you must make API calls to access data.
- expiry time in seconds and milliseconds - the time after which the access token expires in seconds and milliseconds. You can use this data to programmatically refresh the access token before it expires for continued access to data.
Here is how it works.
Tip:
When you use our API collection, the request to generate access and refresh tokens comes with a script that automatically updates the values of variables in your environment.
FAQs
1. Validity
- Grant token - Two minutes; one-time use only.
- Access token - One hour.
- Refresh token - does not expire until it is revoked or a 21st refresh token is created.
2. Token Limit
- Grant token - Ten grant tokens in a span of ten minutes.
- Access token - Ten access tokens in a span of ten minutes. When you generate the 11th token, the first-created one will be deleted, automatically.
- Refresh token - Ten refresh tokens in a span of ten minutes. You can have a maximum of 20 refresh tokens. When you create a 21st refresh token, the first-created one will be deleted.
The following are a few common errors you may face while generating tokens.
| Error | Cause | Solution |
invalid_oauth_token | The access token is either invalid or has expired. | Use the right access token or generate a new one from the refresh token. |
invalid_scope | The scope you have used is invalid. | Refer to Scopes for the list of available scopes. |
invalid_code | The authorization code(grant token) is invalid or has expired. | Grant token is valid only for two minutes. Use a grant token to generate access and refresh tokens within this time. Generate a new grant token if you face this error. |
invalid_redirect_uri | The redirect URI you have given in the API console is invalid. | Specify a valid redirect URI to be able to receive a grant token. |
invalid_client | Either the client ID or client secret is invalid. | Specify valid client ID and secret while making authorization calls. The API console has the client ID and secret. |
invalid_response_type | The value of the "response_type" key is invalid. | While generating access and refresh tokens from the grant token, the value of the "response_type" key must always be "code". |
Multi-DC
Zoho CRM is hosted at multiple data centers to comply with the privacy and data protection laws of various countries.
So, if your application is in the US DC but wants to use the data of users in the EU DC, you must enable multi-DC while registering your client.
The various domains and their respective accounts URLs are:
- US: https://accounts.zoho.com
- AU: https://accounts.zoho.com.au
- EU: https://accounts.zoho.eu
- IN: https://accounts.zoho.in
- CN: https://accounts.zoho.com.cn
- JP: https://accounts.zoho.jp
How do you ascertain the domain?
When you generate the grant token, the parameter location gives you the DC that the data is located in.
Similarly, when you generate the access and refresh tokens, the key api_domain gives you the domain-specific API URL.
For example, if you want to get the data of leads from EU, the API URL must be https://www.zohoapis.eu/crm/v4/Leads
We hope you found this post useful. We will meet you next week with another interesting topic.
Let us know your questions in the comment section or write to us at support@zohocrm.com.
Cheers!
Shylaja
Access your files securely from anywhere
Centralize Knowledge. Transform Learning.
All-in-one knowledge management and training platform for your employees and customers.
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Shylaja S
David
Claire
Anu Abraham
Sticky Posts
Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #226: Using ZRC in Client Script
Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In thisKaizen #222 - Client Script Support for Notes Related List
Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore howKaizen #217 - Actions APIs : Tasks
Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.Kaizen #216 - Actions APIs : Email Notifications
Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Organization wide Account and Contacts Visibility/Sharing Capabilities?
Has anyone figured out a way to make visibility or sharing of Accounts and Contacts to be available across the entire organization without having to have every individual user edit their Sharing permissions? For our sales folks they need to be able toZoho Expense - Bi-Weekly Report Automation
Hi Zoho Expense Team, My feature request is to please include an option to automate creation of reports bi-weekly (every 2 weeks)Application Architecture in Zoho Creator: Why You Should Think About It from the Start
Many companies begin using Zoho Creator by building simple forms to automate internal processes. This is natural — the platform is extremely accessible and allows applications to be built very quickly. The challenge begins to appear when the applicationArquitetura de Aplicações no Zoho Creator: Por que pensar nisso desde o início
Muitas empresas começam a utilizar o Zoho Creator criando formulários simples para automatizar processos internos. Isso é natural — a plataforma é extremamente acessível e permite construir aplicações rapidamente. O problema começa a aparecer quando aNew 2026 Application Themes
Love the new themes - shame you can't get a little more granular with the colours, ie 3 different colours so one for the dropdown menu background. Also, I did have our logo above the application name but it appears you can't change logo placement positionHow to Customize & Reorder Spaces in Zoho One 25 (Spaces UI) — Admin Tips Not in the Docs
Hey Zoho Community, After digging around in the new Spaces UI, I found a couple of admin features that aren't well documented yet but are really useful. Sharing here in case others are looking for the same things. 🔁 How to Change the Default Space UsersDark Mode - Font Colors Don't Work
When editing a document in Dark Mode and selecting font colors, they don't show up on screen. Viewing/editing the same document in Light Mode shows them just fine.Including attachments with estimates
How can attachments be included when an estimate is sent/emailed and when downloaded as a .pdf? Generally speaking, attachments should be included as part of an estimate package. Ultimately, this is also true for work orders and invoices.Trying to access records in a custom module in Zoho Desk and not having luck
I've built a custom module in Zoho Desk and am using a custom function to query the records in the module and I'm not having any luck. The only way I have found to retreive a record is by getting it by its recordID (the long zoho assigned one). The functionDetailed list of scoring rules in Zoho CRM
Good morning Zoho community, warm greetings The reason for my message today is that I have a problem with my CRM, which I will explain below: Our organization has scoring rules designed to rate our potential customers or leads in the application basedSystem Components menu not available for Tablet to select language
I have attached a screenshot of my desktop, mobile, and tablet menu builder options. I am using 2 languages in my application. Language Selection is an option under the System Components part of the menu, but only for my desktop and phone(mobile). MyPlaceholder format in Number field does not reflect Max Digits configuration
When the Max Digits (Maximum digits of number) property is set to a smaller value (for example, 2 digits), the placeholder in the input field still displays a 7-digit format (#######). The same behavior can also be observed in Decimal and Currency fieldApprovals in Zoho Creator
Hi, This is Surya, in one of my creator application I have a form called job posting, and I created an approval process for that form. When a user submits that form the record directly adding to that form's report, even it is in the review for approval.How Zoho Desk contributes to the art of savings
Remember the first time your grandmother gave you cash for a birthday or New Year's gift, Christmas gift, or any special day? You probably tucked that money safely into a piggy bank, waiting for the day you could buy something precious or something youEstimate PDF Templates - logo too large
Hello, I cloned a standard estimate template, but my logo is showing up much larger than intended. This doesn’t happen with the standard invoice template, where the logo displays correctly. How can I adjust the logo size in the estimate template? ThankSelect CRM Custom Module in Zoho Creator
I have a custom module added in Zoho CRM that I would like to link in Zoho creator. When I add the Zoho CRM field it does not show the new module. Is this possible? Do i need to change something in CRM to make it accesible in Creator?Invoice emails not sending but reminders are
I am a new user. I have been creating some dummy invoices before I go live and have struck a block. Emails for the invoice are not being recieved by the recipient, however, when I send a reminder for the same invoice the email is sent. NOTE: I have checkedHow to close an estimate ?
Hello, I have created estimates, and converted them to invoices to get 50% payment. Now I have 2 cases where the estimate stills shows status partially invoiced, however: 1. for one of them, project stopped half way, so the remaining part will never beDeleted account recovery
I ended up accidentally deleting our Zoho invoice account while trying to work something out. Emailed support for recovery and restoration of the deleted account, if possible, but they responded by saying they can't find an account associated with thatCRM Cadences - working timesThe Friday afternoon? The next Monday morning? Not at all?
I think I’m writing saying that cadence emails are only sent during the organisations set working hours in CRM. So if a particular email is set to send for example in three days and that lands on a Sunday (when working hours are not operational) whenCRM Cadences - working times
I think I’m right in saying that cadence emails are only sent during the organisations set working hours in CRM. So if a particular email is set to send for example in three days and that lands on a Sunday (when working hours are not operational) whenCannot find zpuid for Zoho Projects user
I'm using the Zoho Projects v3 API to create a task. The task is created successfully, but in order to assign the task owner, the "Create a Task" API also requires the zpuid of the task owner. Unfortunately I cannot find any user-related API calls thatDevis et factures multipage coupées
Bonjour, je suis sur Zoho invoice et je rencontre un problème sur mes devis et factures lorsqu'ils dépassent 1 page. je me retrouve souvent avec des lignes coupées ou le sous total page 1 et le total page 2. j'aimerai savoir s'il existe une possibilitéZoho Desk View Open Tickets and Open Shared Tickets
Hi, I would like to create a custom view so that an agent can view all the open tickets he has access to, including the shared tickets created by a different department. Currently my team has to swich between two views (Open Tickets and Shared Open Tickets).Custom Related List Inside Zoho Books
Hello, We can create the Related list inside the zoho books by the deluge code, I am sharing the reference code Please have a look may be it will help you. //..........Get Org Details organizationID = organization.get("organization_id"); Recordid = cm_g_a_data.get("module_record_id");Add the same FROM email to multiple department
Hi, We have several agents who work with multiple departments and we'd like to be able to select their names on the FROM field (sender), but apparently it's not possible to add a FROM address to multiple departments. Is there any way around this? Thanks.How does SKU work when selling products in parts in Zoho Inventory
Hello everyone, Zoho Inventory does not understand the physical cutting of the piece.. It only tracks quantities of the unit (like feet ). So when you sell part of an item, the system simply reduces quantity for that SKU. Assume that i have a 50 ft longZoho Meeting - Feature Request - Introduce an option to use local date and time formating
Hi Zoho Meeting Team, My feature request is to add an option for dates to be displayed in the users local format. This is common practice across Zoho applications and particularly relevant to an application like Zoho Meeting which revolves around dateIncorrect Functioning of Time Logs API (Version 3)
We need to fetch the list of time logs for each task for our company internal usage. We are trying to achieve it by using the next endpoint: https://projects.zoho.com/api-docs#bulk-time-logs#get-all-project-time-logs Firstly, in the documentation theCannot give public access to Html Snippet in Zoho Creator Page
Hi, I created a form in Zoho Creator and published it. The permalink works but I want to override the css of the form. (style based URL parameters is not good enough) So I created a page and added an Html snippet. I can now override the css, which isHow can Outlook 365 link back into Zoho Projects so meetings and events in Outlook calendar show in Zoho?
We use Outlook 365 for our emails and diaries and have integrated Zoho Projects with Office 365. One challenge we face is getting Zoho Projects to recognise when we have meetings and events in Outlook and not allow project managers to assign tasks over that period. Is there a way to resolve this? ThanksIMPORTANT: It doens´t show full article name on search - Should add line break
When we search for articles, it doesn´t show the full name. There should be a line break so the user can see the full article name, otherwise the user can´t know if that´s the article he/she is looking for. This is very important, otherwise the user hasIMPORTANT: It doesn´t search for letters with portuguese characters.
Some of my articles have for example the word "vídeo". But if I search for "vídeo" it doesn´t find them. If I search for "video" it does find them. Idealy, it should find the articles either way. But if I have to choose, it would be better to find theOn Edit Validation Blueprint
Hello, I have a notes field and a signature field. When the Approve button is clicked, the Signature field will appear and must be filled in. When the Reject button is clicked, the Notes field will appear and must be filled in. Question: Blueprint willZoho Invoice en Navarra (Spain)
Hola, ¿Alguien usa Zoho Invoice en la Comunidad Foral de Navarra? En Navarra tenemos un sistema tributario diferente y no aplica Verifactu (la Hacienda Foral de Navarra ha anunciado su alternativa, NaTicket, pero no ha informado cuándo entrará en vigor).Conect chat of salesiq with zoho cliq
Is there any way to answer from zoho cliq the chat of salesiq initiated by customers?Emails from Zoho are getting blocked due to Zoho IP address being blacklisted
This is the info I got from my hosting provider – please address this issue immediately. I don’t expect this from such a big household name. Every single invoice I have sernt it not being received by my clients, all being blocked. All of a sudden. Asagentid : Where to find?
I've been looking around for this agenId to check for the total ticket assigned on a specific agent url :"https://desk.zoho.com/api/v1/ticketsCountByFieldValues?departmentId=351081000000155331&agentId=35108xxxxxx132009&field=statusType,status" type :GETZoho DataPrep integration with OpenAI (beta)
We are thrilled to announce Zoho DataPrep's integration with OpenAI. The public beta roll-out opens up three features. Users who configure their OpenAI Organizational ID and ChatGPT API key (Find out how) will be able access the features. The featuresAbility to Attach Record-Specific Files Automatically in Workflow Email Templates
Currently in Zoho CRM, email templates allow attachments to be added, but these attachments are static and remain the same for every recipient. There is no straightforward option to automatically attach a file that is stored within the specific CRM recordNext Page