The deadline for migrating from Authtoken to OAuth has been extended until May 31, 2021. Please switch to OAuth tokens before May 31 to prevent code breakage.
This post is regarding our upgrade to OAuth authentication for all the applications in the Zoho suite.
We still have a fair number of users and orgs who are using authtokens in their functions to make calls to other Zoho services like Creator, Books, Projects, etc., from Zoho CRM. We would like to bring to your notice that from May 1, 2021, all functions that use authtokens while making calls to other Zoho services will fail.
The sunset of basic authentication mode (Authtokens)
We hope you're aware that we've stopped the generation of authtokens for all the Zoho suite applications.
This update came into effect IN users
from September 30th, 2020
, EU and CN users
from October 30th, 2020
, and US users
from November 30th, 2020
. Refer to the announcement
for more information.
The impact of the sunset
All the integration tasks that follow authtoken authentication will cease to work.
Why the upgrade?
Authtokens are quite straightforward. The user has to provide their username and password to get the authentication token (authtoken) to access the API. The authentication token is passed in the request header for every API request. The flaws in this authentication mechanism are evident.
- The lack of encryption makes the security risk fairly high.
- There is no bandwidth to grant or revoke access to specific resources in an application.
At Zoho, we take security very seriously, which motivates us to go to great lengths to ensure that your data is safe. Thus, we've upgraded to OAuth.
The OAuth Authentication
OAuth 2.0 is an industry-standard protocol specification that enables third-party applications (clients) to gain delegated access to protected resources in Zoho via an API.
Advantages of OAuth Authentication
- Clients are not required to support password authentication or store user credentials.
- Clients gain delegated access, i.e., access only to resources authenticated by the user.
- Users can revoke the client's delegated access anytime.
- OAuth2.0 access tokens expire after a set time. If the client faces a security breach, user data will be compromised only until the access token is valid.
Migrating from Authtoken authentication to OAuth
Refer to the announcement
to know the next steps on migrating from authtoken to OAuth tokens.
We strongly recommend that you migrate to OAuth tokens on or before May 1, 2021, to avoid any breakage in your code.