Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Sticky Posts

    • Kaizen #198: Using Client Script for Custom Validation in Blueprint

      Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

    • Kaizen #226: Using ZRC in Client Script

      Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

    • Kaizen #222 - Client Script Support for Notes Related List

      Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

    • Kaizen #217 - Actions APIs : Tasks

      Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

    • Kaizen #216 - Actions APIs : Email Notifications

      Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

      • Recent Topics

      • Reopen ticket on specific date/time

        Is there a way that we can close a ticket and setup a reopen of that ticket on a specific date and time? (without using the "on hold" ticket option)

      • API credit COQL COUNT

        The docs describe API credits in COQL from the LIMIT perspective: https://www.zoho.com/crm/developer/docs/api/v8/COQL-Overview.html When using aggregate functions such as `COUNT` or `SUM`, is that billed as 1 API credit?

      • Anyone Building AI-Based SEO Dashboards in Zoho Analytics?

        Hey everyone, I’m currently working on an SEO reporting dashboard in Zoho Analytics and looking to enhance it with AI-based insights—especially around AI visibility, keyword trends, and traffic sources. The goal is to track not just traditional metrics

      • Remove 'This is an automated mail from Zoho Sign' in footer

        Hi there, Is it possible to remove or change the text under the e-mail templates? I can't figure out how to do that: Would love to hear from you. Kind regards, Tristan

      • Passing Info from Function to Client Script

        Hello, I have recently started making use of client script for buttons, allowing me to give the user information or warnings before they proceed. This is great. However, I have never quite managed to pass back any extra information from the function to

      • Drag 'n' Drop Fields to a Sub-Form and "Move Field To" Option

        Hi, I would like to be able to move fields from the Main Page to a Sub-Form or from a Sub-Form to either the Main Page or another Sub-Form. Today if you change the design you have to delete and recreate every field, not just move them. Would be nice to

      • Zoho Payroll for Canada

        Is anyone else having problems getting setup for Canada?

      • Passing the CRM

        Hi, I am hoping someone can help. I have a zoho form that has a CRM lookup field. I was hoping to send this to my publicly to clients via a text message and the form then attaches the signed form back to the custom module. This work absolutely fine when

      • One Contact with Multiple Accounts with Portal enabled

        I have a contact that manages different accounts, so he needs to see the invoices of all the companies he manage in Portal but I found it not possible.. any idea? I tried to set different customers with the same email contact with the portal enabled and

      • User Automation: User based workflow rules & webhooks

        User management is an undeniable part of project management and requires adequate monitoring. As teams grow and projects multiply, manual coordination for updating users & permissions becomes difficult and can give way to errors. User automation in Zoho

      • Default Ticket View - Table?

        Guys, We mostly use the table view to queue tickets. Maybe I am missing it - but how can I set that view as 'default" for all our agents? Thanks JV

      • Zoho One IS BUGGY

        Here are some things that just don't work: - Disabling applications from certain Spaces - Adding users (probably only for me) - Renaming applications in Zoho One Portal (fixed by now) - Reordering applications in Spaces When I try to reorder: It feels

      • Merge Fields that previously worked are now giving an Error!

        Saving a URL Link button on the Deal module. The below fields used to save without issue at all, but now produce an error of "URL contains unsupported merge field!" ${Contacts.Mailing Street} ${Contacts.Mailing City} ${Contacts.Mailing State} ${Contacts.Mailing

      • Clarification on Zoho Forms 1-User Plan: Multiple Submitters and Approvers

        Question Content (Copy–Paste Ready) Hello Zoho Team, I would like clarification regarding Zoho Forms pricing and user limits. I am planning to subscribe to the ₹700/month (1 user) plan. My use case is as follows: Only 1 person (myself) will create and

      • App for Mac OS X please!

        It would be awesome to have a mail app for Mac OS X that included all the cool features such as steams, calendar, tasks, contacts, etc. Most people prefer native apps, rather than running it through a web browser. I know that we can use the IMAP, CalDAV,

      • Facing Issues with Sites Mobile font sizes

        my page renediaz.com is facing issues mobile view, when i try to lower font sizes in home page, instead of changing the size, it changes the line space

      • Zoho Books Payroll

        How am I supposed to do payroll and pay my employees with Zoho Books? I think it's pretty strange that an accounting software doesn't have the ability to perform one of the most common functions in business; paying your employees. Am I missing something,

      • Canvas templates can now be shared with different CRM organizations

        ----------------------------------------Moderated on 14th February, 2023------------------------------------------- Dear all, This feature is now open for all users in all DCs. To learn more about importing and exporting canvas templates, read our help

      • Change Last Name to not required in Leads

        I would like to upload 500 target companies as leads but I don't yet have contact people for them. Can you enable the option for me to turn this requirement off to need a Second Name? Moderation update (10-Jun-23): As we explore potential solutions for

      • creating an alias

        your instructions for creating an alias are wrong. there is no add alias in my mail account. also i dont have a control panel link just a settings link how do i really make an alias

      • Reply to Email for SO/PO

        Hello, We are new to Zoho Books and running into an issue. Our support@ email is our integration user. When our team is sending out PO/SO's we are updating the sender email, but for some reason many of our responses are coming back to our support@ email

      • ZOHO Payroll Canada

        Any plans on the roadmap for Canada?

      • Zoho Books Sandbox environment

        Hello. Is there a free sandbox environment for the developers using Zoho Books API? I am working on the Zoho Books add-on and currently not ready to buy a premium service - maybe later when my add-on will start to bring money. Right now I just need a

      • Multi-currency and Products

        One of the main reasons I have gone down the Zoho route is because I need multi-currency support. However, I find that products can only be priced in the home currency, We sell to the US and UK. However, we maintain different price lists for each. There

      • ZOHO Writer Folders

        Hi We would love to have ability to create folders on the left hand side. We would then be able create and store our documents within each folder Hope you can provide this feature soon ! dux.centra

      • How can Data Enrichment be automatically triggered when a new Lead is created in Zoho CRM?

        Hi, I have a pipeline where a Lead is created automatically through the Zoho API and I've been trying to look for a way to automatically apply Data Enrichment on this created lead. 1) I did not find any way to do this through the Zoho API; it seems like

      • Escalation request: organization merge and data export (Ticket [154609577])

        Hello Zoho Team, I am posting here because my support ticket has not received substantive responses through the usual channels. Summary of the issue (ongoing for three weeks): I requested assistance with a data migration and a merge of two Zoho organizations.

      • Different form submission results for submitter and internal users

        I'm looking for suggestions on how to show an external submitter a few results while sending internal users all the results from the answers provided by the external user. The final page of our form has a section with detailed results and a section with

      • Formatting and slow

        Creating campaigns are difficult.  I'm fairly computer literate but some of the way Zoho Campaigns formatting works is painful.  Images fail to upload or are very slow. To top it off, syncing the contacts is a pain as well as temperamental links to create Segments. At this rate I'm afraid we might need to migrate back to Mailchimp.

      • Boost your Zoho Desk's performance by archiving tickets!

        The longer your help desk operations are, the more likely it is to accumulate tickets that are no longer relevant. For example, ticket records from a year ago are typically less relevant than currently open tickets. Such old tickets may eventually lead

      • Paste emails to create segment

        We are moving over from Mailchimp to ZOHO. However Mailchimp allows me to create a segment by pasting in emails from excel (or importing a .csv) can I do the same in Mailchimp?

      • Getting the Record ID of a form once it is submitted - so that form can be edited later

        In Zoho Forms, where can I access the record ID of a form once the form is submitted? - Record ID is not available in webhook payloads - It is not available to form fields, including in formulas - It is not available as a parameter in a thankyou page

      • Auto-Generate Line Numbers in Item Table Using HTML & CSS Counters (Zoho Books & Zoho Inventory Custom Templates)

        <div> <style> /* Start counter from 0 inside tbody */ tbody#lineitem { counter-reset: rowNumber; } /* Increment counter for each row */ tbody#lineitem tr { counter-increment: rowNumber; } /* Show counter value in first column */ tbody#lineitem tr td:first-child::before

      • Possible to define default font and size in Zoho Campaigns?

        Is it possible to define a default font (font, size and colour) for the text, H1 and H2 in Zoho Campaigns? For example: In a campaign, I add a text block, and the text is automatically century gothic, size 11, grey (6f6f6e) by default? Thank you!

      • Zoho Sites - General Feedback

        Hi Everyone-- Quick question for discussion: is it me or is working with Zoho Sites like entering the Twilight Zone? I've built many sites over the years, but this platform seems impossible. I've spent an entire day and a half trying to get a simple one-color

      • Zoho People & Zoho CRM Calendar

        Hi, Does anyone know if it is possible to link Zoho People and the calendar in CRM? I would like when holidays are approved they automatically appear in the calendar on CRM. Thanks 

      • File Upload field not showing in workflow

        Hi, I have added a field on Zoho CRM. I want to use it in a workflow where that particular field is updated based on another field, however it is not showing up in the field list to select it in the workflow. Why is this please?

      • You cannot send this email campaign as it doesn't have any eligible contacts in the selected mailing list. You can try adding contacts or choose other mailing lists.

        please help

      • Strengthening the capabilities of CommandCenter in Zoho CRM Plus

        When you look at the prospect-to-customer journey in most businesses 10 to 15 years ago, it was relatively straightforward. Many of us remember walking into a store, sharing our requirements with a sales associate, reviewing a few options, and making

      • World date & time format

        Hello, Is there a timeline to get the worldwide used date and time format ? I mean not the american one... I mean day month year, and 24 hours clock. Regards

      • Next Page