Why we chose "OAuth2.0" over other authentication methods?
Hello everyone!
While there are various authentication methods available for REST APIs, we use OAuth2.0. In this article, we are going to discuss the most popular authentication methods, their pros and cons, and the reason why we chose OAuth2.0 over other authentication methods.
As the name suggests, HTTP basic authentication is the most simple and straightforward form of authentication, and hence most vulnerable. In this authentication method, the user passes the username and password along with every API request.
Pros:
- Implementation of HTTP basic authentication is quite simple since there is no encryption/tokenisation involved.
- Compared to other authentication methods, the HTTP basic authentication is faster.
Cons:
- The lack of encryption makes it most vulnerable to security attacks.
- Every API call can be a target for cleartext credential theft, not just an initial login request.
- Since the same username and password will be used for product login, in case of a security breach, all your data will be compromised.
- To recover from a security breach, you must update your password and update the same in all your API code, which is tedious.
- The server cannot grant/revoke access to specific resources. In other words, you cannot apply scopes. You can only grant full access to all the resources.
2. API Key Authentication
API key authentication is an advanced form of basic HTTP authentication. In this method, when a user logs in for the first time, the server generates a unique key (string value) and assigns it to the user, known as the API key. The user must pass the API key with every API request with which the server verifies the identity of the user.
Pros:
- Comparatively more secure than the "HTTP basic authentication", since the username and password are not passed as such, with every API request.
- Unlike HTTP Basic authentication, API keys provide access to specific resources. In the case of a security breach, only a specific set of data will be compromised.
Cons:
- API keys are vulnerable to security attacks. They can be stolen and misused.
- To recover from a security breach, you must regenerate the API key, and update the same in all your API code, which is tedious.
3. OAuth2.0
OAuth2.0 is an industry-standard protocol specification that enables third-party applications (clients) to gain delegated access to protected resources in Zoho via an API.
In this method, the client app requests the authentication server for access to specific resources and receives a grant token in return. Further, the grant token can be used to generate access and refresh tokens. The access token is used to access resources. It is valid only for a set amount of time. Once the access token expires, new access tokens can be generated using refresh tokens.
Pros:
- Using OAuth2.0, you can verify the identity of the client and also provide delegated access to each resource. Thus, allowing you to both authenticate and authorize.
- Comparatively more secure than "HTTP basic authentication" and "API key authentication", since it does not involve username-password or static key.
- OAuth2.0 uses scopes to ensure limited access to sensitive data. The grant token is generated to access a specific set of data, defined by scopes.
- You can revoke the tokens any time, thus restricting the client's access to sensitive data.
- Each access token is valid for only an hour and can only be used for operations defined in the scope.
- OAuth2.0 can be easily scaled to a multi-user environment without any hassle.
Cons:
- It is complex to generate tokens. Since the tokens are valid only for a short period, the developer must regenerate the access token using the refresh token.
Clearly, OAuth2.0 is both scalable and secure. Although it is complex, because of its other advantages, we chose OAuth2.0 over other authentication methods.
Cheers!
Access your files securely from anywhere
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Sneha Sridharan
Sticky Posts
Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI
Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over theKaizen #152 - Client Script Support for the new Canvas Record Forms
Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achievedKaizen #197: Frequently Asked Questions on GraphQL APIs
🎊 Nearing 200th Kaizen Post – We want to hear from you! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Celebrating 200 posts of Kaizen! Share your ideas for the milestone post
Hello Developers, We launched the Kaizen series in 2019 to share helpful content to support your Zoho CRM development journey. Staying true to its spirit—Kaizen Series: Continuous Improvement for Developer Experience—we've shared everything from FAQs
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Unable to Send Emails – Outgoing Mail Blocked (Error 554 5.1.8)
Description: Hello Zoho Support Team, I am facing an issue with my Zoho Mail account ( admin@osamarahmani.tech ). Whenever I try to send an email, I get the following error: 554 5.1.8 Email Outgoing Blocked I would like to clarify that I have not doneIssue connecting Zoho Mail to Thunderbird (IMAP/SMTP authentication error)
Dear Zoho Support, I am trying to configure my Zoho Mail account on Thunderbird, but I keep getting authentication errors. Account: info@baktradingtn.com Domain: baktradingtn.com Settings used: IMAP: imap.zoho.com, Port 993, SSL/TLS, Normal Password SMTP:Payment issue with Mail Lite plan – personal NIF not accepted as payment info
Hello, I have already contacted Zoho Support by email regarding this, but since I haven’t received any reply yet, I’m sharing it here as well to see if the community can help. I’m facing a payment issue for my Mail Lite plan. I have a personal accountCustomer payment alerts in Zoho Cliq
For businesses that depend on cash flow, payment updates are essential for operational decision-making and go beyond simple accounting entries. The sales team needs to be notified when invoices are cleared so that upcoming orders can be released. In contrast,{"code":1038,"message":"JSON is not well formed"}
Today this began failing: sales_order_data = zoho.books.createRecord("salesorders",books_organization_ID,order_data); with this error message. {"code":1038,"message":"JSON is not well formed"} This code has been running for two years. Here is the inputIn arattai received message can't be deleted
The issue has been noticed in following: arattai app (Android) arattai app (Window) arattai web While the message posted by me may be deleted, the ones received from others can't be. The item <Delete> change to <Report> when the message is a receivedZoho Editor
Zoho PDf Editor is not working I am clicking on EDIT PDf then it again bringing me back to the same page. again and again.Figma in Zoho Creator
Hi Team, I’m creating a form using Figma and would like to know how to add workflows like scheduling, custom validation, and other logic to it. Can anyone help me understand how to set this up for a Figma-based Creator UI form?How to Delete Personal Account Linked with My Mobile Number in past or by someone else
How to Delete Account Created with My Mobile Number in past or by someone else This is creating issues in making or sync with my credentials mobile and email address..Enable / show scroll bar when Mega Menu is opened
Hey there I am using the mega menu add-on and experience a "flicker" whenever the mega menu opens. The reason is, that the scrollbar, which has a width of a few pixels, stops showing when the mega menu opens. As the scrollbar disappears the whole pageRestore lost Invoice!
Some time ago I tried to Upgrade from Invoice to Books. I not upgraded and staid n Invoice. Now i tried again and first i deleted the old trial of books. But now all is gone, PLEASE HELP!! i have no backup and i have to have at least 7 years data retention by law.Zoho Desk Down
Not loadinglookup and integrated forms
I might be misunderstanding things but I wanted to integrate our zoho crm contacts into creator. I imagined that when I used the integration it would mirror into creator. It did brilliant. BUT We have a ticket form in creator that we want to use a lookupPartially receive PO without partial Bill?
Most of our inventory is pre-paid. Let's say we purchase 30 pieces of 3 different items for a total of 90 pieces. It is common for our supplier to send us the items as they are ready. So we will receive 30 pieces at a time. How can I partially receive2 users editing the same record - loose changes
Hello, I'm very new to Zoho so apology if this has been addressed somewhere i can't find. I have noticed the following: If we have 2 users put an inventory item in edit mode at the same time: say user1 click on edit and user2 while user1 is still in edit,How to get the Dashboard page to be the first page when you open the app
So when it opens on a tablet or phone it opens on the welcome page, thanks.How I set default email addresses for Sales Orders and Invoices
I have customers that have different departments that handle Sales Orders and Invoices. How can i set a default email for Sales Orders that's different than the default email for Invoices? Is there a way I can automate this using the Contact Persons DepartmentsAdding hyperlinks in CRM emails time automatically
It may just be me, but when I am writing an email to a lead, I find inserting a hyperlink very time consuming. Granted, I can use templates but there are a ton of scenarios where I might want to put a link in to an website that wouldnt require me to go though the effort of creating a template. Ideally, the crm would identify that I that a string of text is a URL and insert the hyperlink automatically, just like microsoft outlook or gmail. Has anyone else had this same experience and found a wayNotes Attachments
Two things it would be nice to have the attachment size the same as the attachments sections and it would be nice to be able to attach links like you can in the attachments section. Thank youZoho Sheet - Desktop App or Offline
Since Zoho Docs is now available as a desktop app and offline, when is a realistic ETA for Sheet to have the same functionality?I am surprised this was not laucned at the same time as Docs.Formula fields not refreshing until page is reloaded
I need help/advice about the formula fields and how I can refresh the information in real-time. We have two formula fields on our deals page which show calculated prices: One formula is in a subform which calculates the subform total + 1 other field amountHow can I setup Zoho MCP with Chat GPT
I can set up custom connections with Chat GPT but I cat an error when I try to set it up. The error is: "This MCP server can't be used by ChatGPT to search information because it doesn't implement our specification: search action not found" Thoughts?Export Invoices to XML file
Namaste! ZOHO suite of Apps is awesome and we as Partner, would like to use and implement the app´s from the Financial suite like ZOHO Invoice, but, in Portugal, we can only use certified Invoice Software and for this reason, we need to develop/customize on top of ZOHO Invoice to create an XML file with specific information and after this, go to the government and certified the software. As soon as we have for example, ZOHO CRM integrated with ZOHO Invoice up and running, our business opportunitiesAPI ZOHO CRM Picket list with wrong values
I am using Zoho API v.8. with python to create records in a custom module named "Veranstaltung" in this custom module I've got a picket list called "Email_Template" with 28 Values. I've added 8 new values yesterday, but if I try to use on of those valuesGroup Emails
I have synced Zoho CRM to Campaigns but there are certain email not synced. showing it is Group Emails, but this email ids belongs to different individuals. please provide a solution as i nedd to sync the same.Enable Password Import option in ulaa browser
Dear Ulaa Team, I noticed that the Ulaa Password Manager currently offers an option to export passwords, but not to import them. This limitation poses a challenge for users like me who have stored numerous credentials in browsers like Chrome. Manually"Is Zoho CRM customer" vs "Is linked with Zoho CRM"
Recently while building a Flow, I was setting up a Decision action following a Zoho Invoice Fetch record action. There were 2 choices that I had not seen as something I could manually action in Zoho Invoice: "Is Zoho CRM customer" and "Is linked withClient Script | Update #13 - Introducing ZRC: Simplified HTTP request library
Hello Developers! Are you tired of juggling different methods to make API calls? Are you confused with multiple syntaxes and version restrictions? Have you ever wished for one simple way to make all API calls in CRM? We heard you :) Here comes ZRC (ZohoSelection Filed for Data Export section
Hi FSM Team, I hope you are all doing well. I would like to share an idea for future development based on my experience. Currently, in FSM, we can only download up to 5,000 records at a time. If the development team could add a selection option to chooseText wrap column headers in reports?
Is it possible to auto wrap column headers so that a longer multi-word header displays as two lines when the column is narrower than the width of the header title?What if I dont see contacts on the left side list
My CRM does not show the contacts tab. In order to create list this is needed and I cant find it.Comments Vs. Replies
I'm curious as to the difference between a "Reply" and a "Comment" on a ticket. It appears that "Replies" are what's used to determine response time SLA's and there are also used to automatically re-open tickets. I'm just trying to understand the key differences so I can educate both our clientele and our back-end users on which function/feature to use to better improve the ticket lifecycle. If anyone has any insight it would be appreciated. Thanks!Transitioning to API Credits in Zoho Desk
At Zoho Desk, we’re always looking for ways to help keep your business operations running smoothly. This includes empowering teams that rely on APIs for essential integrations, functions and extensions. We’ve reimagined how API usage is measured to giveAdd Custom Reports To Dashboard or Home Tab
Hi there, I think it would be great to be able to add our custom reports to the Home Tab or Dashboards. Thanks! ChadResetting auto-number on new year
Hi everyone! We have an auto-number with prefix "D{YYYY}-", it generates numbers like D2025-1, D2025-2, etc... How can we have it auto-reset at the beginning of the next year, so that it goes to D2026-1? Thanks!Microsoft Phone Link
Does anyone know if you can use Microsoft Phone Link to make calls through Zoho?Voip Phone system that integrates with Zoho
Just checking to see if anyone could tell me what phone system they are using with Zoho that is on the list of systems that integrate with Zoho. I use Vonage and have been with them for quite a few years but their service has really gone down hill andRemoving Related Modules Lookup Fields Assignment / Relationship
Issue: When creating a related list, I accidently selected module itself creating a circle reference. See attached. Situation: I wish to relating a custom module called "Phone Calls" to Leads and Contacts. Outcome: 1) I either want to remove the this[Product Update] TimeSheets module is now renamed as Time Logs in Zoho Projects.
Dear Zoho Analytics customers, As part of the ongoing enhancements in Zoho Projects, the Timesheets module has been renamed to Time Logs. However, the module name will continue to be displayed as Timesheets in Zoho Analytics until the relevant APIs areKaizen #210 - Answering your Questions | Event Management System using ZDK CLI
Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over theNext Page