Kaizen #79 - OAuth2.0 - A Recap and FAQs
Hello everyone!
Welcome to another week of Kaizen!
Today, we will address a few frequently-asked questions about OAuth2.0 that include token generation, scopes, errors etc,.
If you have any other questions, let us know in the comment section. We will offer solutions and add them to this list.
Before we move on to common errors and their solutions, let us look at generating grant, access and refresh tokens for a client.
1. Creating a client
You must register your client on the API console to request access to users' resources. This client must handle authenticating itself to the authorization server and requesting an access token to access the users' resources.
Here is an example for creating a client for a server-based application.
2. Setting up an environment in Postman
- On the sidebar, click Environments > + icon.
- Enter a name for your environment.
- Create the following variables. We will fill in their values as we go along.
->client-id (obtained after registering the client)
->client-secret (obtained after registering the client)
->redirect-uri (given at the time of registering the client)
->accounts-url
->access-token
->refresh-token
->api-domain
->expiry-time - Select Save to save any environment variables you have added.
3. Generating the authorization code(grant token)
The authorization code flow is often used when the client is a web application running on a server. This flow uses a server-side redirect URI to receive the authorization code and adds a layer of security, rather than relying on a client-side redirect URI.
What do you need?
- client ID - obtained after registering the client.
- scopes - to get consent from the users to use their data. See the available scopes here.
- response_type - the value "code" as we are requesting for an authorization code.
- access_type - online or offline(to get a refresh token along with an access token, later).
What will you get?
- code - a one-time grant token that you will use to generate access and refresh tokens.
- accounts-server - the Zoho accounts URL that you will use to generate access and refresh tokens. This is the variable accounts-url in Postman.
- location - the API domain from which you must make API calls to access data. This is the variable api-domain in Postman.
Tip:
If you do not have an application, yet, but want to test this flow, copy-paste the following URL in your browser with valid values for the various parameters.
You will receive the grant token as a value to the key "code" in the redirect URL you specified while registering the client.
Here is a GIF of this process.
Self-client
Use this option if your application does not have a domain and a redirect URL.
You can also use this when your application is a standalone server-side application performing a back-end job like data sync.
4. Generating access and refresh tokens from the grant token
Access tokens allow the application to access user's data from the resource server. Each access token is valid for an hour, after which, you must use the refresh token to generate a new access token.
Note
Each access token is bound to the scope you specified while generating the grant token, i.e, if the scope while generating the grant token was ZohoCRM.modules.READ, you can only get data from all the modules but not update, create, or delete.
What do you need to generate access and refresh tokens?
- client_id - obtained while registering the client
- client_secret - obtained while registering the client
- redirect_uri - specified while registering the client
- code - the grant token you generated in the previous step
- grant_type - the value authorization_code
What will you get?
- access token - the token to access users' data. Valid for an hour.
- refresh token - the token to generate new access token for the same scope. Does not expire until it is revoked or till the 21st refresh token is created.
- scope - the scope for which these tokens are generated for.
- API domain - the domain to which you must make API calls to access data.
- expiry time in seconds and milliseconds - the time after which the access token expires in seconds and milliseconds. You can use this data to programmatically refresh the access token before it expires for continued access to data.
Here is how it works.
Tip:
When you use our API collection, the request to generate access and refresh tokens comes with a script that automatically updates the values of variables in your environment.
FAQs
1. Validity
- Grant token - Two minutes; one-time use only.
- Access token - One hour.
- Refresh token - does not expire until it is revoked or a 21st refresh token is created.
2. Token Limit
- Grant token - Ten grant tokens in a span of ten minutes.
- Access token - Ten access tokens in a span of ten minutes. When you generate the 11th token, the first-created one will be deleted, automatically.
- Refresh token - Ten refresh tokens in a span of ten minutes. You can have a maximum of 20 refresh tokens. When you create a 21st refresh token, the first-created one will be deleted.
The following are a few common errors you may face while generating tokens.
| Error | Cause | Solution |
invalid_oauth_token | The access token is either invalid or has expired. | Use the right access token or generate a new one from the refresh token. |
invalid_scope | The scope you have used is invalid. | Refer to Scopes for the list of available scopes. |
invalid_code | The authorization code(grant token) is invalid or has expired. | Grant token is valid only for two minutes. Use a grant token to generate access and refresh tokens within this time. Generate a new grant token if you face this error. |
invalid_redirect_uri | The redirect URI you have given in the API console is invalid. | Specify a valid redirect URI to be able to receive a grant token. |
invalid_client | Either the client ID or client secret is invalid. | Specify valid client ID and secret while making authorization calls. The API console has the client ID and secret. |
invalid_response_type | The value of the "response_type" key is invalid. | While generating access and refresh tokens from the grant token, the value of the "response_type" key must always be "code". |
Multi-DC
Zoho CRM is hosted at multiple data centers to comply with the privacy and data protection laws of various countries.
So, if your application is in the US DC but wants to use the data of users in the EU DC, you must enable multi-DC while registering your client.
The various domains and their respective accounts URLs are:
- US: https://accounts.zoho.com
- AU: https://accounts.zoho.com.au
- EU: https://accounts.zoho.eu
- IN: https://accounts.zoho.in
- CN: https://accounts.zoho.com.cn
- JP: https://accounts.zoho.jp
How do you ascertain the domain?
When you generate the grant token, the parameter location gives you the DC that the data is located in.
Similarly, when you generate the access and refresh tokens, the key api_domain gives you the domain-specific API URL.
For example, if you want to get the data of leads from EU, the API URL must be https://www.zohoapis.eu/crm/v4/Leads
We hope you found this post useful. We will meet you next week with another interesting topic.
Let us know your questions in the comment section or write to us at support@zohocrm.com.
Cheers!
Shylaja
Access your files securely from anywhere
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Shylaja S
David
Claire
Anu Abraham
Sticky Posts
Client Script | Update - Introducing Commands in Client Script!
Have you ever wished you could trigger Client Script from contexts other than just the supported pages and events? Have you ever wanted to leverage the advantage of Client Script at your finger tip? Discover the power of Client Script - Commands! CommandsKaizen #165 : How to call Zoho CRM APIs using Client Script
Welcome back to another exciting Client Script post! In this post, we will discuss one of the most frequently asked questions: How do you call Zoho CRM APIs from Client Scripts? In this kaizen post, 1. Ways to make calls to Zoho CRM APIs using ClientKaizen#162 : Add Tags and Open Pre-filled Email Drafts via Client Scripts
Hello everyone! Welcome to another informative Kaizen post. In this post, let us see how to accomplish the following using Client Script. 1. How to auto-tag a record based on field update? 2. How to Open a pre-filled email draft This post will provideExtension Pointers - JS SDK series #4: Managing data from a widget using ZOHO.CRM.HTTP
Handling and managing the data between two applications is a major factor for an efficient business. There are a variety of ways to handle data between Zoho CRM and other third-party applications. You can use deluge CRM tasks, create connectors, use APIKaizen #152 - Client Script Support for the new Canvas Record Forms
Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho DataPrep Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho Campaigns Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Automatically assign Contacts to Account owners
Hi, I have a finite number of accounts set up in the CRM, and each new contact that comes in is automatically assigned to an Account according to a rule I set up. I want the Contact owner in the Contacts module to be assigned to the relevant Account owner.Making Copies/Duplicates of Zoho Forms (Shared)
Question to the community: is there a way to take a 'shared form' , make a duplicate copy and save under My Forms, so that i can use that which was already created as a template to make updates to and use as a test form and be able to have full access,Using IMAP configuration for shared email inboxes
Our customer service team utilizes shared email boxes to allow multiple people to view and handle incoming customer requests. For example, the customer sends an email to info@xxxx.com and multiple people can view it and handle the request. How can I configureCan you help us creating a customised form with payment link?
I would like to create a customised Transport form where the user will be asked to make payment basis the drop/ pick up they select.Deleting or disabeling predefined ticket list views
Is it possible to delete or disable predefined views or is this still not possible? For instance, we are not using the chat function and therefore have no use for the "Missed Chats" view. Thanks!Email an Invoice from API
When calling the API to email an invoice, it seems it does not actually send it. Below is a screen shot where I used an API call for the bottom record, and it updated its' status to "Due Today", but no email was actually sent. The top record, I hit theUnable to load your extension. Please check your plugin-manifest or Resources.json.
Hi Team, I am using the config module with multiple fields of different types, such as checkboxes and picklists. However, I am encountering the following issues: Error Message: When loading the extension, I get the error: "Unable to load your extension.Layout Rules / Quick create
Hello, is there a way to create a layout rule for quick create option? Regards, KatarzynaIssue with Create Note Button and Popup Form in Leads Module
Hello Zoho Community, I am trying to implement a "Create Note" button in the Leads module with the following functionality: 1. When the button is clicked, a form should pop up with fields to add notes. 2. After filling out the form and clicking Send,Finding draft ticket replies
Is there a way to see all tickets which have draft replies?Guidance on Making Zoho Desk Connections Available for All Data Centers
Hi Team, I’m currently developing an application using Zoho Desk connections to manage OAuth for my third-party products. Could you please advise on the steps required to make it available across all data centers? Looking forward to your thoughts onAble to change project on timelog entries
Ability to move the timesheet entry from one project to another. When a user adds a wrong entry a manager can change/update the timesheet entry to the correct project.Caso de Uso | Menos trámites, más salud: Clínicum optimiza sus recursos con Zoho One
"La automatización del proceso de solicitud de bajas y su trazabilidad a través de Zoho nos ha supuesto una mejora en el ROI." - Carol Rodríguez, Responsable de Experiencia del Cliente interno y externo en Clínicum ¡Hola a todos! Estamos emocionados deHow do I stop getting notified about upgrading to Upgrade now and save big!
How do I stop getting notified about upgrading to Upgrade now and save big! There is no way to clear this notification, and EVERY Day I get alerted to upgrade, but there is no permanent way to dismiss this alert! How can I permanently dismiss this aDouble opt-in notifications and customizable confirmation messages for your webforms
Dear CRM Community, We are excited to announce a major upgrade to our Webforms feature. You can now customize the confirmation message shown to your users who double opt-in from your webform and also customize your confirmation emails when they submitBulk create tasks - Zoho Projects API
Hi Zoho/Community, I am trying to create multiple tasks in a single API call, is there a way we can combine multiple request bodies into one single payload? The issue I am facing is the rate limiting on the API, I wanted to create certain amount of tasksTask Due dates and Reminder Date & Time
I like to have a reminder on many tasks in Zoho Recruit. I find the process cumbersome in that each task requires the following: 1. click and select due date 2. Click the reminder box 3. Click on (Reminder) Start Date 4. Click on (Reminder )Time If oneUnable to Access Admin Console and Email Sending Issues
Hello Zoho Support Team and Community, I hope this post finds you well. I am currently facing two significant issues with Zoho services: Admin Console Access Issue: Every time I try to access the Zoho Admin Console, it gets stuck on the loading screenTracking new lead response time
Hi, I have a team of Sales Development Reps, who have a KPI of responding to a lead within 20 mins or less once it hits the system. I seem to recall that Zoho CRM had the capability to track this in a previous version, but don't see it anywhere. It'sGetting The Following Error.. 550 5.4.6 Unusual sending activity detected
I just launched a marketing campaign and I got this error. Everything was working fine previously. This is a big launch so need to fix it asap. Can anyone help?Printing on 80mm bluetooth Pos Printer
Hello. I am trying to print receipts and invoices using my 80mm bluetooth connectivity Pos printer. I have configured the Templates to Retail so that it matches the paper width of the Pos printer. However, when I click Print in zoho, first it opens theTrying to integrate gmail but google keeps blocking Zoho access for integration??
hi i am trying to integrate a gmail account so can track/access business emails this way. I have followed the instructions but after selecting my email account it gets re-routed to this message (screengrab below) Can anyone advise a way around this orWhich attribute in Zoho books invoice api represent branch attached to the invoice?
Hi Zoho Team, We have done the integration with Zoho Books API. While fetching data from Invoice API we want to get branch value attached to the invoice. We could not figure out which field in "Get an Invoice" api represents branch value attribute. ThanksHow to Billed from two different GST Numbers
How to Billed from two different GST Numbers. Suppose ABC & Co had GST registration in Delhi and Haryana and Zoho account is created with Delhi GST Registration number. Now i also want to issue invoice from Haryana GST Registration number. How can i proceed ?How to hide Predefined views
Hi, I would like to know how to hide: Predefined views and Recent views or some records from this list. If I'm using it form iPad I have to scroll to see User created views. Or maybe it's possibility to move User created views on the top. All the best,Deleting Views
How do you delete views? Please sydFixed Assets
Where would I manage my fixed assetsReport on Assets
Hi, Is it possible to report purchased assets on a specific year? The Balance Sheet shows everything up to the current date, and the expense reports will not show purchased assets because they are assets not expenses. If it is not possible, then is it possible to setup an API connection with Books to extract data from to another Reporting application?Purchase of Fixed Assets
How can I record the purchase of assets using zoho books? For example, I purchased 4 laptop for 100000 $ each and paid it through my bank account. How can I record this transaction and maintain track of how much of the assets I bought?Where is the Fixed Asset Register?
I am a Zoho One user for 18 months, using invoicing and CRM and now ready to migrate my books to Zoho Books. Where do I keep the fixed asset register for the equipment that I use in my business? I have a service based business with a lot of gear and businessKaizen #168 - Incremental Authorization
Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. What is Incremental Authorization? Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopesConfigure Notes Title for Blueprint Transition
It'd be very helpful to be able to configure note titles on blueprint transitions when requiring notes. This would help tie back the history of notes to the blueprint actions. We have some approval processes in our blueprint and require notes for theAn update to improve email delivery | Email Authentication & Relay
Dear Zoho Recruit Community, We hope this message finds you well. This post is to inform you about an important update regarding the authentication of all email domains in your Zoho Recruit account. Effective 31st December, 2024, emails sent using emailStop adding Default ID column to xls exports
When anything is exported to xls, Zoho adds a column with an ID. WE DO NOT WANT THIS COLUMN. We use an automated report to a team. We have our own tracking number. 1. This makes the report messy, it just pushes OUR data off to the right. 2. We haveZoho cases and remote work api
How to use zoho cases listing api? When i try to hit the endpoint specified in the docs , i get the error : the page you are looking for does not exist with a 401.Calendly does not show scheduled Meetings
I use Calendly as my standard booking tool, but no matter what I am doing, Calendly shows any appointment as free (when in fact there already is an appointment in CRM Calendar or Zoho Calendar). Drives me nuts - cannot go away from Calendly due to variousI want the currency in my account to be Mexican pesos.
Hello, I am a Mexican citizen and live in Ukraine. When I registered to your system, it was seen that I was from Ukraine, so the default currency is Euro. This is causing me a problem. Please change the standard currency in my account to Mexican PesYear-End Wrap: Don't rewrite - Switch to Email Templates
As we're half-way through December, now is the perfect time to start sending out festive greetings. Whether it is to your clients or your team, it is important that every mail is tailored to the recipient and feels genuine, which allows you to make betterElevating Email Security on Zoho Desk: DKIM Now Mandatory
Hello Zoho Desk Users! It has been a wonderful journey with you on Zoho Desk. As we prepare to welcome 2025, we are strengthening our efforts to ensure a secure and seamless experience for you. To enhance email security, DKIM configuration will be mandatoryHow to view shared mailbox in Outlook
How to view shared mailbox in Outlook or in another softwareNext Page