Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Sticky Posts

    • Kaizen #198: Using Client Script for Custom Validation in Blueprint

      Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

    • Kaizen #226: Using ZRC in Client Script

      Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

    • Kaizen #222 - Client Script Support for Notes Related List

      Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

    • Kaizen #217 - Actions APIs : Tasks

      Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

    • Kaizen #216 - Actions APIs : Email Notifications

      Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

      • Recent Topics

      • iOS Zoho Mail App Crashesruni

        Whenever I trying to search emails via the Zoho Mail app on my iPhone the app crashes, I am running the latest version of the app and the latest iOS version. I have all set reset the app and deleted the app and still have the same issue. Thank you in

      • Assessment Answered - Automation (Related List)

        Hello everyone, We have linked a candidate assessment to our job posting. When someone applies, they are required to answer all the assessment questions. However, some candidates submit their applications without completing the questions. In such cases,

      • Paid Support Plans with Automated Billing

        We (like many others, I'm sure) are designing or have paid support plans. Our design involves a given number of support hours in each plan. Here are my questions: 1) Are there any plans to add time-based plans in the Zoho Desk Support Plans feature? The

      • Can't change form's original name in URL

        Hi all, I have been duplicating + editing forms for jobs regarding the same department to maintain formatting + styling. The issue I've not run into is because I've duplicated it from an existing form, the URL doesn't seem to want to update with the new

      • Shared Views

        Hello, is there a way to prevent an agent from changing a shared table view? I have no issues with agents being able to create and customize their own view, but when I create a view and share it to my team -- the expectation is that they are viewing it

      • Using Zoho answer bot across departments (help center articles from another department)

        Hi Zoho Community, I’ve run into a major issue and hope someone here has experience with this setup. We currently have a Help Center in the department A where all of our knowledge base articles are maintained. However, we would like to use a Zoho Answer

      • Zoho Mail will not set up in Thunderbird

        I am using Thunderbird 13.0.1 in Linux Mint 13 64-bit. I cannot set up my Zoho IMAP email in this client. This is evidently a common problem as evidenced by these postings in the Thunderbird forum: thunderbird can't seem to "find the settings" I cannot

      • Zoho Desk Partners with Microsoft's M365 Copilot for seamless customer service experiences

        Hello Zoho Desk users, We are happy to announce that Zoho Desk has partnered with Microsoft's M365 to empower customer service teams with enhanced capabilities and seamless experiences for agents. Microsoft announced their partnership during their keynote

      • The Social Wall: January 2026

        Hello everyone, We’re back with the first edition of The Social Wall of 2026. There’s a lot planned for the year ahead, and we’re starting with a few useful features and improvements released in January to help you get started. Create a GBP in Social

      • Pipeline: Copying rulesets from one data source to another

        When creating and editing data pipelines, it would be really helpful to be able to copy the ruleset from one data source and 'paste' it to another. This would save time and reduce manual mistakes.

      • Doubt about maximum email reach

        Good morning, greetings. This is Bramdon García from EDULABS S.A.S ESP, located in Colombia. I'm writing to inquire about the possibility of sending an email to 35,000 people simultaneously. Our company has a Zoho account, but we'd like to know if there's

      • Zoho calendar not working in browser

        Hello, I am new to Zoho. I have two accounts for two separate businesses. In one of them, calendar loads in a browser no problem. However, if I use this account (sairfeetmusic.co.uk) calendar does not load. I also cannot add it to my Thunderbird Lightening

      • Authentication Failure when adding POP3 accounts

        Hi everyone, I am a new user currently migrating from Gmail to Zoho Mail. I decided to make the switch following Google's decision to discontinue POP3 fetching. I previously used Gmail as my primary mail hub, and Zoho seems like the perfect alternative

      • Trident Application Folder

        Hi, How to choose installation folder for Trident, by default it gets installed in C drive. How to change drive?

      • Email disappeared to specific contact

        Good afternoon, this morning I emailed somebody. This email isn’t showing up in my sent folder. They sent me a response which I clicked on and it disappeared immediately. Why could this be?

      • Create an Eye-Catching Announcement Widget for Your Help Center

        Hello Everyone! In this week’s edition, let’s explore how to keep your customers updated with exciting news in the Help Center. See how ZylkerMobile wowed their customers by bringing updates right to their portal. ZylkerMobile, the renowned brand for

      • Updating records through Zoho Sheets View doesn't update timeline or trigger workflow rules

        I have noticed that when i update a series of record with the zoho sheets view (see here http://d.pr/i/ahnR) it doesn't update timeline history or trigger workflow rules. I am using it in the Deals module. Looking forward for some more info. Denis

      • How do I change the account bank charges are charged to?

        I want bank charges charged to my Credit Card Fees account. Is there a way to do this?

      • Mail Search should allow grouping by conversation like Gmail.

        Having switched from gmail I have found the search function hard to use. Mostly because mail is not grouped by conversation in search. If I search for a word when looking for a conversation had with someone then sometimes 10 emails will come up from the

      • Updation of Old Browsers Versions for Zoho CRM

        We have upgraded the default browser version for CRM to facilitate features like widgets and scripts that are often implemented aside from advanced functionalities for various business requirements. The latest version is aimed to provide better performance

      • Project-Based Inventory Consumption and Proforma Invoice in Zoho ERP

        While working with customers across different industries, we have identified a few functional questions and gaps that commonly arise—especially for project-based and service-oriented businesses. Many organizations, such as those in shipping, construction,

      • Zoho Desk domain Mapping not Working Showing CNAME Error

        I have created the subdomain and created the Cname as well as its instracted on the Zoho website  but when i try add the domain on help desk its showing error msg : Make sure you've mapped the CNAME entry and linked it to desk.cs.zohohost.com.au on your

      • Founders using Zoho — are you leveraging Zoho Campaigns + Zoho Social for thought leadership… or just sending emails?

        I’ve noticed something interesting in the Zoho ecosystem. Many founders use Zoho Campaigns and Zoho Social for basic marketing—newsletters, scheduled posts, and announcements. But very few are using these tools strategically to: • Position themselves

      • IMAP stopped working after enabling 2 factor authentication

        IMAP stopped working after enabling 2 factor authentication. Is there any solution for this?

      • Rename Service Report

        Some of our customers are requesting the name of the service report PDF to be in a specific format, for example, instead of REP-001.PDF some are requesting to include their name like customername.pdf. is that possible?

      • Outgoing emails rejected due to SpamCop RBL listing (IP 136.143.188.12)

        Hi All, I am writing to report a deliverability issue affecting outgoing emails from my Zoho Mail account. Recently, several messages sent from my domain (example.com) to external recipients have been rejected with the following error message (redacted

      • Share Record Ownership in Zoho Recruit

        We’re introducing User Fields in Zoho Recruit designed to make collaboration easier when multiple team members need to work on the same record. With User Fields, you can extend record ownership beyond a single user and enable smoother teamwork across

      • Recherche d'un développeur

        Bonjour, j'ai un projet de SAAS sur une base de zoho créator et zoho CRM et je recherche un développeur qualifié français pour créer l'application créator (fonctionnel et graphique) et les workflow et blueprint de CRM

      • Display actual mileage on an invoice

        My users are creating expenses in Zoho expense. For example, they expense 10 miles and get paid 7 dollars (10 miles * IRS rate of .70). If I look at the expenses in Zoho Books, it does show them at 10 miles at .70 cent When I add these expense to an invoice

      • Customer Parent Account or Sub-Customer Account

        Some of clients as they have 50 to 300 branches, they required separate account statement with outlet name and number; which means we have to open new account for each branch individually. However, the main issue is that, when they make a payment, they

      • Cloning a Pick List

        I have an existing Pick List in my Contacts that I want to drop into my Leads.  Is there a way to copy or clone the field with it's accompanying Pick List?  Thanks for your time.

      • I wish to upload 40000 Resumes in Zoho Recruit Database. Can I do this in batch of 1000 Resumes ?

        I would like to upload thousand or few hundred of resumes in Zoho Recruit in one go. Please let me know how can I do this Or migrate my 40000 resumes from previous ATS to Zoho Recruit.

      • Zoho Writer for Proposals

        Hi, one of the things we've struggled with since moving to Zoho ecosystem is our proposal software Qwilr does not integrate well. It surprises me Zoho doesn't have proposal software but given all the capabilities of Zoho Writer, I'm wonder if anyone is

      • Custom Fonts in Zoho CRM Template Builder

        Hi, I am currently creating a new template for our quotes using the Zoho CRM template builder. However, I noticed that there is no option to add custom fonts to the template builder. It would greatly enhance the flexibility and branding capabilities if

      • Foutmelding bij uitvoering/opslaan functie 'Left expression is of type TEXT and right expression is of type NUMBER'

        Hoi! Ik heb een workflow (zie bijlage) die wordt getriggerd zodra de verwachte weekomzet van een bedrijf wordt aangepast naar een bedrag hoger dan 0. Op dat moment moet een functie (zie bijlage) gaan berekenen wat het benodigde kredietlimiet moet zijn.

      • Hoe kun je Nederlandse loonstroken boek in Zoho Books?

        Beste Community, Heeft er iemand een idee hoe je standaard loonstroken kunt inboeken in Zoho Books? Ik ben benieuwd hoe jullie dit doen en wat de mogelijkheden zijn.

      • Unable to Filter Retail Sales Orders & Need Paid/Unpaid Filter – Zoho Books

        Hi Zoho Team, Recently you introduced Retail – Standard and Retail – Premium templates for Sales Orders. However, in the Sales Order module we still cannot filter or segregate Retail Sales Orders separately from normal B2B sales orders. Because of this,

      • Service op locatie organiseren met Zoho FSM: waar lopen organisaties tegenaan?

        Bij organisaties met service teams op locatie merken we vaak dat de complexiteit niet zozeer in de planning zelf zit, maar in wat er rond die planning gebeurt. Denk aan opvolging na interventies, consistente servicerapporten, en het bijhouden van installaties

      • Possible to delete the "Big Deal Alert" in Zoho CRM?

        Hi, Is it possible to delete the "Big Deal Alert" in Zoho CRM? My company has no need for it and I want to remove it to clean up my email templates list. Thank you. Moderation Update: Currently, the option to delete the "Big Deal Alert" template is in

      • Allow selection of select inactive users in User data fields

        Hello, We sometimes need to select a previous employee that has an inactive account in the User data field. For example, when doing database cleanup and indicating actions are done by a certain employee that weren't filled out when they were part of the

      • Next Page