In this flow, the access and refresh tokens are specific to only the org and the environment they were generated for. You cannot use the org-specific tokens in an environment to make calls to another org in an environment.
Why are we making this change?
Increased security and restricted data access.
In this flow, the user can grant access to the app only to a particular org in an environment. Therefore, when the access token is breached, the data in the orgs under other environments are still safe.
Who should be concerned?
The application owners who use the same access and refresh tokens to make API calls to more than one environment, must ensure to use tokens specific to the org and the environment they were generated for.
This update will be opened to customers in phases from today (May 07, 2020).
Cheers!
Shylaja
Zoho CRM