Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!




      • Sticky Posts

      • Kaizen #217 - Actions APIs : Tasks

        Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

      • Kaizen #216 - Actions APIs : Email Notifications

        Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

      • Kaizen #152 - Client Script Support for the new Canvas Record Forms

        Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

      • Kaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script

        Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.

      • Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI

        Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over the

        • Recent Topics

        • Getting an error Address not found Your message wasn't delivered

          Hey, I'm trying to configure zoho mail for my website https://businessentity.org/ The email is meredith.karter@businessentity.org I'm able to successfully send the mails but when someone sends an email to above mail, this error shoots up: Address not

        • Support Uploading YouTube Videos Longer Than 60 Minutes

          Hi Zoho Social Team, How are you? We would like to request support for uploading YouTube videos longer than 60 minutes directly through Zoho Social. Your support team informed us that Zoho Social currently cannot upload videos over 60 minutes due to “API

        • Need Faster Help? Try Live Chat Support

          Hello there, We understand that sometimes, whether you’re facing an issue, exploring a feature, or need quick clarification, sending an email and waiting for a response just doesn’t cut it. You need answers, and you need them now. That’s exactly why we

        • Can't deactivate Spell Check

          Hi Community, right now I'm using the Zoho Mail Desktop-Software. So far, so good.. many possibilities. Overall very nice. What is extremely annoying right now, is that we are not able to deactivate the Spell Check feature. And we are barely able to focus

        • Zoho Toolkit Email Signature Generator

          I'm having real issues with the email signature generator with no matter where I host the photo, Zoho doesn't seem to show the photo on the link provided?

        • Company Policy Upload - Request All EE to review and sign

          How can I upload policies into Zoho People and have the employees review them and sign off saying they agree, etc.? Also, if I make a revision to a policy, I would like that changed or updated policy to be distributed or have the employees notified that

        • Zoho Sign Global Settings vs. Template and Document

          Hello, We are running into an issue on a current use case. We already use Zoho Sign. Now that KBA is available, we want to begin using it in our tax delivery process, by allowing clients to sign electronically, but also download a copy of their return

        • Zoho Mail Desktop Crashes on Linux - Ubuntu 24 LTS

          Hi, I have been trying to run the desktop app on Ubuntu for the past few day with no luck. I have tried both the .deb package and the appImage. When I attempt to open the app. It just crashes immediately. The crash error dialog appeared once and I cant

        • Can't login to Zoho mail

          I'm logged into Zoho but when I try to go in zoho mail I get: Invalid request! The input passed is invalid or the URL is invoked without valid parameters. Please check your input and try again. I just set up my mx records and stuff with namecheap a few

        • Zoho IP blocked by SpamCop

          Hi, Many of my emails are blocked and I receive this:  INVALID_ADDRESS, ERROR_CODE :550, ERROR_CODE :spamcop.mimecast.org Blocked - see https://www.spamcop.net/bl.shtml?136.143.188.51. - https://community.mimecast.com/docs/DOC-1369#550 [DGwIYPPSOfWI

        • Differences between Zoho Books and Zoho Billing

          Without a long drawn out process to compare these. If you were looking at these Books and Billing, what made you opt for one and not the other. Thanks

        • Server error when trying to Data > Sort > Custom Sort

          Been using Data > Sort > Custom Sort for a while, now it has suddenly stopped working. When selecting the same data range and trying to execute, I get "Sorry! There was a problem saving your last edit. Please try again."

        • To Assign a genrated pdf to a file upload field using delug

          content = "<html><body>HTML Content on page One <div style='page-break-after:always'></div> HTML Content on page Two </body></html>"; file = zoho.file.convertToPDF(content); file.setFileName("Name of the file"); <variableName> = <FormLinkName>[ID == input.ID];

        • TArgets To Accounts (Modules)

          How can i set sale target to Customers (Accounts Module)

        • Breaking barriers with multilingual WhatsApp templates in IM

          Ever wondered what it feels like to be greeted in your own language by a brand you love? A “Welcome!” feels nice, but a “¡Bienvenido!” or “स्वागत है!” feels personal. In today’s global world, conversations often need to cross both time zones and cross

        • Super Admin Logging in as another User

          How can a Super Admin login as another user. For example, I have a sales rep that is having issues with their Accounts and I want to view their Zoho Account with out having to do a GTM and sharing screens. Moderation Update (8th Aug 2025): We are working

        • How to share private Opportunities with whole org at an account level

          Opportunities are currently set to private, so our sales team only sees their own opportunities, along with their manager and upper leadership. The need is the ability for the rest of the Org to see the opportunities at an account level, not within the

        • New in Smart Prompt: Record Assistant for contextual assistance, and support for new AI models

          Smart Prompt helps teams stay informed and move faster by providing relevant suggestions where work happens in CRM. With this update, Smart Prompt becomes more adaptable to your organization’s AI preferences. You can now choose which Large Language Model

        • Problema Verificacion con proveedor NIC.AR

          No puedo realizar la verificación del correo, he seguido los pasos indicados y configurado los MX. Y no puedo verificar el correo. He leido en el foro que otros han tenido el mismo problema. Alguno pudo solucionarlo?

        • How to remove some users in zoho accounts

          How to remove some users in Zoho accounts.

        • Unified Inbox for all, including fetched mails

          I fetch mails from different third-parties mailboxes. But I need to switch mailbox too see fetched mails. It's strange. All mailboxes have one shared disk space for own mail and fetched mail, but why do we need to switch mailbox (on the left bottom) to

        • Whatsapp Limitation Questions

          Good day, I would like to find out about the functionality or possibility of all the below points within the Zoho/WhatsApp integration. Will WhatsApp buttons ever be possible in the future? Will WhatsApp Re-directs to different users be possible based

        • Users Not Automatically Being Added To WorkDrive Team

          I have already created a ticket for this issue, but the support team doesn't seem to understand what's happening. Our organization started with a trial of Zoho Workplace around November 10, 2025. I created 10 users, including myself. I sent out the invites,

        • Synchronization between Gmail and Zoho Mail

          Hello! I am using Zoho Mail within the Zoho One platform. I have completed the basic setup and added all the required DNS records with our domain provider. Our goal is to set up two-way synchronization between our current Gmail inbox and Zoho Mail, but

        • IMAP login problem

          I have my domain hosted with zoho @wilson.ie I have added a new user and have enabled IMAP access to this user account The user can login to zoho mail on the web. When we enter the server settings into Outlook as per below, Outlook cannot login to the

        • Contact data removes Account data when creating a quote

          Hi, Our customer has address fields in their quote layout which should be the address of the Account. They prefill the information, adding the account name - the address data is populated as per what is in the account - great. However when they then add

        • Changes to subform in Zoho CRM Portal Timeline History Unavailable

          Hi Support Team, We have noticed a feature limitation in the Zoho CRM portal. We created a portal for our vendors to edit records directly, but when vendors make updates, the Modified Time and Date fields are not being updated. Additionally, these updates

        • This mobile number has been marked spam. Please contact support.

          Hi Support, Can you tell me why number was marked as spam. I have having difficult to add my number as you keep requesting i must use it. My number is +63....163 Or is Zoho company excluding Philippines from their services?

        • Function #11: Apply unused credits automatically to invoices

          Today, we bring you a custom function that automatically applies unused credits from excess payments, credit notes, and retainer payments to an invoice when it is created. Prerequisites: Create a Connection named "zbooks" to successfully execute the function.

        • Duplicating report but custom layout does not

          Dear Zoho Creator, I need to duplicate a report into 10 copies, but unfortunately the custom layout (detail view) doesn’t copy along with it. I tried exporting and importing the custom layout, but the field mappings are incorrect. I believe everyone are

        • Credit Card Readers?

          We would like to use our commerce website at conferences (and eventually in store) to swipe credit cards to pay for orders. How would we accomplish this? Does Zoho have anything available for a developer write code to integrate something like Stripe Terminal

        • Stock count by bin location

          Is there a configuration to make a stock count by bin or area and not by product. these is useful to manage count by area Regards

        • Add Prebuilt "Partner Finder" Template with Native Zoho CRM Integration in Zoho Sites To: Zoho Sites Product Team

          Hi Zoho Team, We hope you're doing well. We would like to request a prebuilt "Partner Finder" template for Zoho Sites, modeled after your excellent implementation here: 🔗 https://www.zoho.com/partners/find-partner-results.html ✅ Use Case: Our organization

        • How Do I Refund a Customer Directly to Their Credit Card?

          Hi, I use books to auto-charge my customers credit card. But when I create a credit note there doesn't seem to be a way to directly refund the amount back to their credit card. Is the only way to refund a credit note by doing it "offline" - or manually-

        • Zoho Learn Course Completion Notifications/Triggers/API

          Zoho Learn works great and will suit our course creation needs, but it appears to be lacking a bit when it comes to integration with other Zoho services (creator etc.) when it comes to course completion. 1) Is there an API or Zoho Flow trigger for when

        • Enhanced Recording Permission Controls for Zoho Cliq Meetings (Similar to Zoom)

          Hello Zoho Cliq Team, We hope you are doing well. We would like to request an enhancement to the recording permission functionality in Zoho Cliq Meetings. Current Limitation: in Zoho Cliq Only hosts and co-hosts can record a meeting. Participants cannot

        • Phone Connection

          When on a call the person on the other end complains that there is static, I am cutting in and out or they can't hear me all. This happens on the cell connection as well.

        • Can't add a sender adress from zoho campaigns

          hi, I need to change the sender address for a campaign.  When i try to add it i get a message to say 'duplicated email address found while adding your sender address'.  This is the first campaign i'm sending so I don't understand why this message is displayed? Thanks Jane 

        • Allow customers to choose meeting venue and meeting duration on booking page

          My business primarily involves one-to-one meetings with my clients. Given the hybrid-work world we now find ourselves in, these meetings can take several forms (which I think of as the meeting "venue"): In-person Zoom Phone call I currently handle these

        • Export History timeline

          Hi, I have an idea, bout zoho desk history of the ticket it would be great if the agent or admin of the zoho desk can export the timeline of the ticket history for agent report or on other matter.

        • Next Page