Kaizen #79 - OAuth2.0 - A Recap and FAQs
Hello everyone!
Welcome to another week of Kaizen!
Today, we will address a few frequently-asked questions about OAuth2.0 that include token generation, scopes, errors etc,.
If you have any other questions, let us know in the comment section. We will offer solutions and add them to this list.
Before we move on to common errors and their solutions, let us look at generating grant, access and refresh tokens for a client.
1. Creating a client
You must register your client on the API console to request access to users' resources. This client must handle authenticating itself to the authorization server and requesting an access token to access the users' resources.
Here is an example for creating a client for a server-based application.
2. Setting up an environment in Postman
- On the sidebar, click Environments > + icon.
- Enter a name for your environment.
- Create the following variables. We will fill in their values as we go along.
->client-id (obtained after registering the client)
->client-secret (obtained after registering the client)
->redirect-uri (given at the time of registering the client)
->accounts-url
->access-token
->refresh-token
->api-domain
->expiry-time - Select Save to save any environment variables you have added.
3. Generating the authorization code(grant token)
The authorization code flow is often used when the client is a web application running on a server. This flow uses a server-side redirect URI to receive the authorization code and adds a layer of security, rather than relying on a client-side redirect URI.
What do you need?
- client ID - obtained after registering the client.
- scopes - to get consent from the users to use their data. See the available scopes here.
- response_type - the value "code" as we are requesting for an authorization code.
- access_type - online or offline(to get a refresh token along with an access token, later).
What will you get?
- code - a one-time grant token that you will use to generate access and refresh tokens.
- accounts-server - the Zoho accounts URL that you will use to generate access and refresh tokens. This is the variable accounts-url in Postman.
- location - the API domain from which you must make API calls to access data. This is the variable api-domain in Postman.
Tip:
If you do not have an application, yet, but want to test this flow, copy-paste the following URL in your browser with valid values for the various parameters.
You will receive the grant token as a value to the key "code" in the redirect URL you specified while registering the client.
Here is a GIF of this process.
Self-client
Use this option if your application does not have a domain and a redirect URL.
You can also use this when your application is a standalone server-side application performing a back-end job like data sync.
4. Generating access and refresh tokens from the grant token
Access tokens allow the application to access user's data from the resource server. Each access token is valid for an hour, after which, you must use the refresh token to generate a new access token.
Note
Each access token is bound to the scope you specified while generating the grant token, i.e, if the scope while generating the grant token was ZohoCRM.modules.READ, you can only get data from all the modules but not update, create, or delete.
What do you need to generate access and refresh tokens?
- client_id - obtained while registering the client
- client_secret - obtained while registering the client
- redirect_uri - specified while registering the client
- code - the grant token you generated in the previous step
- grant_type - the value authorization_code
What will you get?
- access token - the token to access users' data. Valid for an hour.
- refresh token - the token to generate new access token for the same scope. Does not expire until it is revoked or till the 21st refresh token is created.
- scope - the scope for which these tokens are generated for.
- API domain - the domain to which you must make API calls to access data.
- expiry time in seconds and milliseconds - the time after which the access token expires in seconds and milliseconds. You can use this data to programmatically refresh the access token before it expires for continued access to data.
Here is how it works.
Tip:
When you use our API collection, the request to generate access and refresh tokens comes with a script that automatically updates the values of variables in your environment.
FAQs
1. Validity
- Grant token - Two minutes; one-time use only.
- Access token - One hour.
- Refresh token - does not expire until it is revoked or a 21st refresh token is created.
2. Token Limit
- Grant token - Ten grant tokens in a span of ten minutes.
- Access token - Ten access tokens in a span of ten minutes. When you generate the 11th token, the first-created one will be deleted, automatically.
- Refresh token - Ten refresh tokens in a span of ten minutes. You can have a maximum of 20 refresh tokens. When you create a 21st refresh token, the first-created one will be deleted.
The following are a few common errors you may face while generating tokens.
| Error | Cause | Solution |
invalid_oauth_token | The access token is either invalid or has expired. | Use the right access token or generate a new one from the refresh token. |
invalid_scope | The scope you have used is invalid. | Refer to Scopes for the list of available scopes. |
invalid_code | The authorization code(grant token) is invalid or has expired. | Grant token is valid only for two minutes. Use a grant token to generate access and refresh tokens within this time. Generate a new grant token if you face this error. |
invalid_redirect_uri | The redirect URI you have given in the API console is invalid. | Specify a valid redirect URI to be able to receive a grant token. |
invalid_client | Either the client ID or client secret is invalid. | Specify valid client ID and secret while making authorization calls. The API console has the client ID and secret. |
invalid_response_type | The value of the "response_type" key is invalid. | While generating access and refresh tokens from the grant token, the value of the "response_type" key must always be "code". |
Multi-DC
Zoho CRM is hosted at multiple data centers to comply with the privacy and data protection laws of various countries.
So, if your application is in the US DC but wants to use the data of users in the EU DC, you must enable multi-DC while registering your client.
The various domains and their respective accounts URLs are:
- US: https://accounts.zoho.com
- AU: https://accounts.zoho.com.au
- EU: https://accounts.zoho.eu
- IN: https://accounts.zoho.in
- CN: https://accounts.zoho.com.cn
- JP: https://accounts.zoho.jp
How do you ascertain the domain?
When you generate the grant token, the parameter location gives you the DC that the data is located in.
Similarly, when you generate the access and refresh tokens, the key api_domain gives you the domain-specific API URL.
For example, if you want to get the data of leads from EU, the API URL must be https://www.zohoapis.eu/crm/v4/Leads
We hope you found this post useful. We will meet you next week with another interesting topic.
Let us know your questions in the comment section or write to us at support@zohocrm.com.
Cheers!
Shylaja
Access your files securely from anywhere
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Shylaja S
David
Claire
Anu Abraham
Sticky Posts
Kaizen #152 - Client Script Support for the new Canvas Record Forms
Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achievedKaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script
Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI
Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over theKaizen #197: Frequently Asked Questions on GraphQL APIs
🎊 Nearing 200th Kaizen Post – We want to hear from you! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Change Last Name to not required in Leads
I would like to upload 500 target companies as leads but I don't yet have contact people for them. Can you enable the option for me to turn this requirement off to need a Second Name? Moderation update (10-Jun-23): As we explore potential solutions forHaving Trouble Opening The Candidate Portal
Recently am having trouble opening the Candidate Portal. It keeps loading but cannot display any widgets. Tried Safari, Chrome and Edge. Non of them work. Please solve the problem ASAP.Tip of the Week - Spot Risky Sales with Conditional Formatting
In Zoho Analytics, small tweaks can lead to big insights. One such feature is Conditional formatting based on other columns, your key to instantly spotting where sales success is overshadowed by product returns. Our tip this week shows you how to applyHow do I duplicate / copy a campaign
I am evaluation Zoho Campaigns and sent an email to one of my personal email accounts from Zoho Campaigns. It went into my junk file in Hotmail. I want to duplicate that same (1-page) campaign and send it to another of my personal accounts to try toFor a Bill, can "Pay via Check" - Can we also "Pay via Check" when documenting refund for payment?
We really like when we have a Bill in Zoho Books that we can record payment by selecting "Pay via Check" and that will cut the check for us from Zoho Books. However, when we have to write checks as a result of invoice overpayment, we can not select "PayCreator Change History: Ways to improve
Hi Everyone, Recently been working in developing this change history(an idea from Zoho Forms) - unlike forms that you can this with a click but using Creator, we can use "old" keyword. The concept I come up with is to put the result in a table however,Currency selector (based on variable) usage in comparsion
Hi, I've developed a currency selector based on the following topic, and it's working well in pivot tables and charts: https://help.zoho.com/portal/en/community/topic/how-can-i-allow-my-users-to-choose-a-currency-for-the-dashboard I also have a comparisonSuitability of Zoho One (Single User License) for Multi-State GST Compliance & Cost Analysis
Hello Zoho Team, I am an e-commerce business owner selling on platforms like Amazon, Flipkart, and Meesho, and I'm currently using their fulfillment warehouses. I have two GSTIN registrations and am planning to register for an additional 2-3 to expandadd employees and customiz
I want a Zoho software to track employees record. I logged in a demo so now I tried adding employee, first thing when I click on add employee it takes me to a page where it says add user maximum 10 users, my first doubt why users I don't want employeesInactive User Auto Response
We use Zoho One, and we have a couple employees that are no longer with us, but people are still attempting to email them. I'd like an autoresponder to let them no the person is no longer here, and how they can reach us going forward. I saw a similarZoho People Attendance Module - Split Shifts
Hello, Our business employs a number of college students who often split their workdays between work hours and class schedules, resulting in split shifts. For example: Employee 1 works 9am to 11:30am and then leaves for class, returning to work at 3pmZoho One subscription
we have got Zoho CRM for 3 users and we paid for the app , and we have still 9 months to go , but if we join Zoho one , does it mean the payment for that subscription would be a waste? Please help. Thanks.How Zoho CRM Can Enhance Your Faucets Accessories Business Operations?
In today's competitive market, having a reliable CRM system is crucial for managing customer relationships and streamlining business operations. For businesses in the faucets accessories niche, Zoho CRM offers powerful tools to help manage everythingDashboard
I’m currently working on a project using the Zoho IoT Cloud with an ESP32 and MQTT. I’ve successfully connected the ESP32 to Wi-Fi and MQTT, and the data from the ESP32 is displayed in the telemetry section of the cloud. However, when I try to createCan i connect 2 instagram accounts to 1 brand?
Can i connect 2 instagram accounts to 1 brand? Or Do i need to create 2 brands for that? also under what subscription package will this apply?Zoho Forms - Improved Sub-Forms
Hi Forms team, I'm helping a client move from JotForms to Zoho Forms and I've found another opportunity for improvement. In the below screenshot, JotForm left and Zoho Forms right. The Zoho Forms Sub-Form is quite a poor visually. There is no way to makeWhat's New in Zoho Billing | Q3 2025
Hello everyone, We are excited to share the latest set of updates and enhancements made to Zoho Billing in Q3 2025. From the latest GST updates to multi-level discounting, Zia-powered report summaries, and customizable web forms, these updates are designedHow to Delete Personal Account Linked with My Mobile Number in past or by someone else
How to Delete Account Created with My Mobile Number in past or by someone else This is creating issues in making or sync with my credentials mobile and email address..WhatsApp Business Calling API
Dear Zoho SalesIQ Team, I would like to request a feature that allows users to call WhatsApp numbers directly via Zoho SalesIQ. This integration would enable sending and receiving calls to and from WhatsApp numbers over the internet, without the needDoes Zoho Learn integrate with Zoho Connect,People,Workdrive,Project,Desk?
Can we propose Zoho LEarn as a centralised Knowledge Portal tool that can get synched with the other Zoho products and serve as a central Knowledge repository?Marketer's Space - Going beyond basics: Smarter ecommerce marketing with Zoho Campaigns
Hello Marketers, Welcome back to this week's Marketer's Space. In the last post, we discussed the basics of email marketing and how to get started with email marketing in ecommerce. In this part, we'll dive much deeper into some other advanced featuresConnecting two modules - phone number
Hi, I’d like some guidance on setting up an automation in Zoho CRM that links records between the Leads module and a custom module called Customer_Records whenever the phone numbers match. Here’s what I’m trying to achieve: When a new Lead is createdZoho Marketing Automation 2.0 - Landing Page function not working
Dear Zoho Team, I am working on implementing Zoho Marketing Automation 2.0, and am now looking into the section "Lead Generation". If I open the "Landing Pages" section, I immediately get an Error code: Error: internal error occurred. Can you help meUnable to use Sign "You have entereed some invalid characters"
Unable to use Sign "You have entered some invalid characters" I do not see any invalid characters. The text in "Leave a Note" is plain text which I entered directly into the field. See attached screenshotElevate your CX delivery using CommandCenter 2.0: Simplified builder; seamless orchestration
Most businesses want to create memorable customer experiences—but they often find it hard to keep them smooth, especially as they grow. To achieve a state of flow across their processes, teams often stitch together a series of automations using WorkflowMessages not displayed from personal LinkedIn profile
Hello. I connected both our company profile and my personal profile to Zoho social. I do see all messages from our company page but none from my private page. not even the profile is being added on top to to switch between company or private profile,"Performed changes in the query is not allowed due to following reason" when adding columns or reordering data
I'm trying to make changes to a query but every time i try to save it i get this error message. I'm not touching the data it's flagging. All I've tried to do is reorder a couple of fields and add a new one. Why won't it let me do this? It's a core queryOnboard new users easily with native screen recording in Zoho Projects Plus
Communication involving both visual and audio elements tends to capture more interest among the audience. Whenever we onboard new employees to the organization, the task of engaging them in the induction sessions, and keeping the spark going in theirRequest to Add Support for PDF Templates and More Flexibility in Email Editor
Hi Zoho Campaigns Team, I hope you're doing well. I wanted to share some feedback and request a few improvements in the Email Template feature of Zoho Campaigns. Right now, we can create email templates using the HTML editor, which is helpful. But we’reCan you stop Custom View Cadences from un-enrolling leads?
I'm testing Cadences for lead nurture. I have set un-enroll properties to trigger on email bounce/unsubscribe, and do NOT have a view criteria un-enroll trigger. However, help documents say that emails are automatically un-enrolled from a Cadence whenZoho Desk Android and iOS app update: Agent detail overview
Hello everyone! We’ve introduced agent detail overview on the Zoho Desk Android and iOS app update. With this feature, you can get a complete view of agent’s tickets, response times, logged hours (for both tickets and activities), customer happiness ratingsBlog Widget: Show recent blog posts on my homepage
Hey there I am using the Zoho Sites Blog feature. On my homepage, on the bottom I'd like to have a featured content section where I show some of my blog posts (selected, most recent, filtered by category and so on...). It would be nice to have a blogYouTube Live #2: Agreement Intelligence with Zoho Sign's eSign AI assistant
Hi there, We're back again with our YouTube live series and this time, we'll take you through our holistic agreement intelligence powered signature workflows. Struggling to draft an agreement? Need help double-checking clauses and going through complicatedHow to iterate through excel data using zoho rpa
I wanted to iterate or loop through excel data ( datatable). How can i do thatZoho Commerce
Hi, I have zoho one and use Zoho Books. I am very interested in Zoho Commerce , especially with how all is integrated but have a question. I do not want my store to show prices for customers that are not log in. Is there a way to hide the prices if notMass (Pull back) (Close WOs) (Close APs)
Hi develop team. Just idea because Zoho FSM is great but its too manual. we have a lot of task to do every day and the system needs to have more features to automatic our tasks. I need to close several WOs, APs and Pull Back per day. Please we need massCustomising Zohidesk portal default widgets
Hello, I'm wondering how could I customise the default widgets such as "popular topics", "popular articles" using CSS or to make the tiles at the bottom match the ones that I made in the picture attached. I have made some custom widgets and edited themIf there’s a batch at the end, the ‘mark as inactive’ function doesn’t work.
when my batch has a date to batch end and I "mark as inactive" he batch does not obey the status and reactivates the batch.Seamless multilingual messaging and tone control in Zia IM Composer
Hello everyone! Managing customer conversations across multiple languages can be time-consuming. Using Zia in the Instant Messaging (IM) Composer helps you overcome this by providing tools to translate content, adjust your tone, and refine your messagesAdvanced Deluge help needed with custom function and COQL limits
I have a scheduled function that takes a snapshot of specific metrics and saves them to a custom module. However I'm struggling with the limits of COQL. I attach my full code, but an example of the issues I'm having is that it's erroring with a 'LimitNext Page