Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Sticky Posts

    • Kaizen #198: Using Client Script for Custom Validation in Blueprint

      Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

    • Kaizen #226: Using ZRC in Client Script

      Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

    • Kaizen #222 - Client Script Support for Notes Related List

      Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

    • Kaizen #217 - Actions APIs : Tasks

      Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

    • Kaizen #216 - Actions APIs : Email Notifications

      Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

      • Recent Topics

      • Changing the owner of a call

        Am I correct in my conclusion that I cannot change the owner of a call in Zoho? The field does not show up in the screen, nor can I make it show up as the systems does not give me that option. I cannot "mass update" it either. I tried it, but Zoho refuses to change the name of the owner. Please help out: how do I change the owner of a call.

      • Unified Notes View For Seamless Collaboration

        To facilitate better coordination among different departments and team members, the notes added to a record can now be accessed in all its associated records. With this, team members, from customer service representatives to field technicians, can easily

      • Remove Profiles from "Forecast" Module

        How can I remove Profiles from My forecast Module? Image Below The only revenue generators are the VP's, and the Estimation Managers, and the Estimators subordinate to the Est. Managers. How can I remove the unused Profiles? Its frustrating to see them

      • Manage Every Customer Conversation from Every Channel inside Zoho SalesIQ

        Your customers message you from everywhere. But are you really able to track, manage, and follow through on every conversation, without missing anything? With interactions coming in from websites, mobile apps, and messaging platforms like WhatsApp and

      • Integrate Excel or Zoho Sheet functions / calculations to CRM product module

        Hello Community, I hope someone more experienced can help me with this question. Our price / payment plan calculations are in an Excel spreadsheet and I would like to use all those functions / calculations in my Products module. So when we send a quote

      • Sync CRM Contacts to USER'S contacts on Office 365

        I can see that the O365 sync is transferring contacts backwards and forwards between Zoho CRM and Office365. But it has created a separate address book in Office 365 called "Zoho CRM Contacts". This address book is not used by Office/Outlook's email function

      • Uplifted homepage experience

        Editions: All editions. Availability update: 17th February 2026: All editions in the CA and SA DC | JP DC (Free, Standard and Professional editions) 23 February 2026: JP (All Editions) | AU, CN (Free, Standard, Professional editions) 27 February 2026:

      • Logging Out of FSM

        I have tried to log out of FSM app of the last person and it will not let me do so. I need to log in to my account.

      • Restoring records from the recycle bin programatically

        Background I'm working on a piece of software to automate conversion of Leads into Deals based on order status from my company's website. The process is mostly complete, right now I'm just working on handling a few edge cases to ensure data integrity.

      • Does Zoho Learn integrate with Zoho Connect,People,Workdrive,Project,Desk?

        Can we propose Zoho LEarn as a centralised Knowledge Portal tool that can get synched with the other Zoho products and serve as a central Knowledge repository?

      • All new Address Field in Zoho CRM: maintain structured and accurate address inputs

        Availability Update: 29 September 2025: It's currently available for all new sign-ups and for existing Zoho CRM orgs which are in the Professional edition exclusively for IN DC users. 2 March 2026: Available to users in all DCs except US and EU DC. Latest

      • Create static subforms in Zoho CRM: streamline data entry with pre-defined values

        Last modified on (9 July, 2025): This feature was available in early access and is currently being rolled out to customers in phases. Currently available for users in the the AU, CA, and SA DCs. It will be enabled for the remaining DCs in the next couple

      • SalesIQ Identity Update for Logged In Wordpress User

        Hey folks, SalesIQ does not automatically detect when a visitor logs in to WordPress and update their identity to match. For example, if a client of ours visits the site and logs in, SalesIQ will not track them correctly by default. The Solution The solution

      • Feature Request – Conditional Visitor Information Request in Zoho SalesIQ

        We would like to request the ability to conditionally ask for visitor details based on the communication channel used in Zoho SalesIQ. Specifically: When a visitor initiates a conversation through the live chat widget on the website, we want to continue

      • Add zoho calendar to google calendar

        Hi I keep seeing instructions on how to sync Zoho CRM calendar with google calendar but no instructions on how to view Zoho calendar in my google calendar.

      • Prevent subform editing on a module's detail's page

        Hi everyone, We would like to prevent any editing of the subform data in the : Create page Edit page Details page (as subform editing is now allowed by the recent UX update) We are able to prevent editing by making the subform fields read only in the

      • Promote a layout to standard so I can delete one layout

        Similar to this and many other topics: https://help.zoho.com/portal/en/community/topic/set-layout-as-standard The problem, every model has a standard layout, which is what we use most of the time... But as the business grows and evolves we may have to

      • Workdrive on Android - Gallery Photo Backups

        Hello, Is there any way of backing up the photos on my android phone directly to a specific folder on Workdrive? Assuming i have the workdrive app installed on the phone in question. Emma

      • Auto sync Photo storage

        Hello I am new to Zoho Workdrive and was wondering if the is a way of automatically syncing photos on my Android phone to my workdrive as want to move away from Google? Thanks

      • Is anyone experience missing functions in the new UI until hard refresh?

        The set of functions including search is almost always missing upon loading an app in the new UI. If you refresh, the functions return. (see second screenshot) Anyone else experiencing this?

      • Conversion Rate – Won Deals over Assigned Prospects

        Hello, I would like assistance configuring a KPI in Zoho Analytics titled: Objective of the calculation: Number of Won Deals divided by Total number of assigned prospects (not only converted prospects). Important clarification: The denominator must include

      • emailing estimates

        Shows up in the customer mail logs as sent but nobody is receiving them, even when I send them to myself I don't get them ??? Something wrong with the mail server or my end ?

      • Not receiving New Ticket Emails

        Hello! The company I work for uses the Zoho ticketing system, however, I've noticed I'm not receiving email notifications when new tickets are published. I have admin rights to see these tickets on Zoho Desk and respond to them, but am not receiving the

      • Can't update a field on a parent form from a child form's On Success workflow

        Title: Can't update a field on a parent form from a child form's On Success workflow Hi everyone, I'm building a simple Golf Lesson Tracker app and I'm stuck on what should be a basic operation — updating a number field on a parent form when a child form

      • Approvals in Zoho Creator

        Hi, This is Surya, in one of  my creator application I have a form called job posting, and I created an approval process for that form. When a user submits that form the record directly adding to that form's report, even it is in the review for approval.

      • Upload from Zoho Creator File Upload field to OpenAI Vector Store

        I’ve struggled for quite a while to get this working properly. For a long time we relied on Azure Functions as a workaround to handle file transfers between Zoho Creator and OpenAI Vector Stores. It worked, but added unnecessary infrastructure and complexity.

      • Allow Admin to Configure Report > More Options Button

        As an Admin, I want to configure the options of the Report > More Options button to improve UX and reduce Developer overhead. See attached screenshot. Original question posted here: https://help.zoho.com/portal/en/community/topic/modify-standard-rep

      • Calendar start time limit

        Hi all, Has anyone found a magical way to filter calendar reports to start from, let's say 8:00, and not 0:00? Or at least to auto scroll there like Google Calendar for example?

      • Enable Free External Collaboration on Notecards in Zoho Notebook

        Hi Zoho Notebook Team, I would like to suggest a feature enhancement regarding external collaboration in Zoho Notebook. Currently, we can share notes with external users, and they are able to view the content without any issue. However, when these external

      • EU Problem

        Hi all, we've been facing issues with the Europe data center for two days. It's starting to disrupt our daily workflow. Any word on when this will be resolved?

      • How can I clone my website in order to try new templates?

        I want to try a new template for my existing Zoho website without the risk of changing the current site or accidentally publishing the wrong template. Therefore I thought a 'clone website'-option should be somewhere, but I can't find it. How do I try

      • Is it possible to update multiple work items at once?

        Hi, Is it possible to update the statuses/release tags of multiple work items at once? I came across this thread that says it's not possible at the moment, but it was related to the Sprints mobile app. Does this feature not exist in the website as well?

      • Custom Module Missing from Roles & Permissions List

        Hi Zoho Community, I created a new Custom Module in Zoho Expense. The module is fully built and I can see it in the Module Builder (Settings > Customization > Modules). However, I am unable to deploy this to my users because the module does not appear

      • Pivot Report Formula - using a today() variable

        Is it possible for me to use a value of today() in a formula on a pivot table? I'm trying to identify where the end date of a project is greater than the current date if("10. Projects (Zoho Projects).End Date" > today(), 'Yes', 'No') I get the error that

      • Custom view inconsistencies

        Why is "is not" missing from criteria, along with other comparison operators ??? It makes it almost impossible to build required custom views, I don't want "void" invoices listed & why on earth would "Void" invoices be showing when the criteria includes

      • Need Customer Item Inward Module along with QC

        Need Customer Item Inward Module along with QC 1. Using Transfer Orders hit the item balance sheet 2. Items without inventory it becomes difficult for tracking purpose. 3. Custom Modules become tedious to capture multiple items, item subforms are not

      • Zoho CRM Quotes – Subform and PDF/Writer Limitations

        Hello, I am encountering the following limitations in Zoho CRM Quotes: Custom product images cannot be uploaded in the subform – the image upload field cannot be added; only the file upload field is available. File upload placeholders cannot be used in

      • Apple Messages for Business in Omnichannel communications?

        Hello, Apple launched "Apple Messages for Business" but Zoho CRM or Zoho Desk don't appear in the list of possible integrators. Zoho already promotes https://www.zoho.com/crm/omnichannel.html Omni Channel integration, but Apple Messages does not yet appear.

      • Possible to Turn Off Automatic Notifications for Approvals?

        Hello, This is another question regarding the approval process. First a bit of background: Each of our accounts is assigned a rank based on potential sales. In Zoho, the account rank field is a drop-down with the 5 rank levels and is located on the account

      • Will be possible to create a merge mail template for products?

        Hi, we would need to create a mail merge template for products (native) module. Will be possibile? or do you have a smart solutions to merge products data with a mail merge? thanks Chris

      • Next Page