Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!




      • Sticky Posts

      • Kaizen #217 - Actions APIs : Tasks

        Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

      • Kaizen #216 - Actions APIs : Email Notifications

        Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

      • Kaizen #152 - Client Script Support for the new Canvas Record Forms

        Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

      • Kaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script

        Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.

      • Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI

        Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over the

        • Recent Topics

        • Using IMAP configuration for shared email inboxes

          Our customer service team utilizes shared email boxes to allow multiple people to view and handle incoming customer requests. For example, the customer sends an email to info@xxxx.com and multiple people can view it and handle the request. How can I configure

        • Add Lookup Field in Tasks Module

          Hello, I have a need to add a Lookup field in addition to the ones that are already there in the Tasks module. I've seen this thread and so understand that the reason lookup fields may not be part of it is that there are already links to the tables (

        • Hotmail is blocking the zoho mail IP

          Greetings, Since last Tuesday (5 days ago today) I wrote to Zoho support and I still haven't received a single response (Ticket ID: 2056917). Is this how you treat people who pay for your email service? I am making this public so that those who want to

        • Read webpage - MSXML2.ServerXMLHTTP

          I have the following VBA script, put together from various sources (mainly zoho forum/help/support, so it once worked, I guess): private Sub GetListOfSheets() Dim url As String Dim xmlhttp As Object Dim parameters As String Dim html As String range("B1").value

        • Zoho Creator Form Search

          I'm new to Zoho Creator and so far i do like it but im shocked there seems to be no easy way to add a search function and/or navigation to there forms as this readily available in every platform i have used in the past. Anyway i have a form which i have

        • How to setup DKIM / SPF in Zoho Mail

          Hello there! I'm having a hard time understanding how to setup the TXT records for SPF and DKIM with Zoho Mail. I'm following the instructions here: https://www.zoho.com/campaigns/help/setup-spf-dkim.html Specifically, when it comes to the value for the

        • Mass update cant trigger a workflow?

          Hello there, Is this a normal Creator behaviour? In a report, if I manually edit each data row, it will pass those changes to all other reports. However, if I perform a Mass Update on a few data rows at once, the new data is not pushed to other reports.

        • Exciting Updates to the Kiosk Studio Feature in Zoho CRM!

          Hello Everyone, We are here again with a series of new enhancements to Kiosk Studio, designed to elevate your experience and bring even greater efficiency to your business processes. These updates build upon our ongoing commitment to making Kiosk a powerful

        • search and Smart Bar both missing in Mail

          One of the users on my account does not have the search bar at the top right or the Smart Bar at the bottom left of the desktop Mail app. Any ideas how to get those back?

        • "Wrong password or login" Problem to configure Zoho on MAIL App on my Macbook

          Hi, I'm having problems to configure my e-mail on my MAIL App(Macbook pro). My e-mail is hari@trespontoum.net Actually was working perfectly, and still working on my Iphone. My MAIL App prompt me that my login or password is wrong. I tried to change 3

        • Remote Control Functionality During Screen Sharing in Zoho Cliq

          Hello Zoho Cliq Team, We would like to request the addition of remote control functionality during screen sharing sessions in Zoho Cliq. Currently, while screen sharing in Cliq is very useful, it lacks the ability for another participant to take control

        • Looking for best practices to import data from SAP Business One (on-prem) into Zoho Analytics via Zoho DataPrep / Databridge — daily automated schedule

          Hi all, I’m using SAP Business One on-prem (SQL Server / or HANA — depending on DB backend) as our ERP. I want to build a pipeline that, every morning at 9:00 AM IST: pulls transactional data (invoices, customers, products, stock, etc.) from SAP B1, loads

        • Let us add Lookup fields in the Blueprint Transitions

          We are unable to add Lookup Fields in the blueprint transitions in Zoho Desk, we wanted to make it a requirement for our workflow but since it's not available in the transition we cannot. The lookup field exists in the Layout: But it cannot be added/selected

        • Zoho Projects API Scope for Issue Attachments

          I try to download issue attachments via the API, unfortunately I always get the following error code when trying to download the file from the supplied URL: {"ERROR_MESSAGE":"INVALID_OAUTHSCOPE","ERROR_CODE":401} indicating an auth scope error. I've tried

        • How to fetch custom fields for time entries in Zoho Project API v3

          In the previous Zoho Projects REST API, we were able to retrieve custom field details for time entries, including picklist options, using the endpoint: GET /restapi/portal/[PORTAL_ID]/timesheetcustomfields In the new Zoho Projects API v3, we tried using

        • Zoho Survey Enhancements

          We love Survey. We use it a ton. It needs some enhancements. Maybe some of these are already on the roadmap? API - this is crucial. We have some complex surveys that take place and need to update records, trigger other functions/automations, etc. I would

        • Images Don't Display on Blog

          Hi, I've just posted a new blog entry, but regardless of format (png or jpeg) Images that display in Preview mode do not display on any browser in the published post.  I've not done anything different with this post than others regarding images, please advice. Thanks! Edit:  I've discovered that moving the image files from a my sub directory folder "Pics for Blog" to the top level of the "Files" folder on my site allows the images to display live.  This, even though my other blog posts are correctly

        • Creating multiple CRM leads from a Zoho Forms subform

          Hi all, We have a heavily used intake form that is used for new leads as a part of our intake. There is a subform that allows the lead to add additional team members, their titles and other basic info. That form submission creates a new Lead and the subform

        • Checkbox Field Mapping Zoho Forms to Zoho Sign

          I have an application that will be filled out via Forms that I am mapping into a PDF Filler on Zoho Sign. I need to have a series of checkboxes mapped to the corresponding fields in Sign and I only see single checkboxes available via the mapping, though

        • MCP > Creator connection failing with Claude

          I'm trying to get claude to access any of my Zoho Creator apps and it keeps failing. I have enabled all tools for creator and ensured in claude settings that everything is authorised. Here is what claude says : Unfortunately, the error messages I'm receiving

        • Books P&L by Customer

          Lately, we have found that the Customer field filter for the Profit & Loss report in Zoho Books is no longer available. We have several projects with the same customer and look at the P&Ls by project AND by Customer (overall). Can you please add back in this field selection alongside the Project field to the P&L report filter? Thanks! -Gina

        • Sent mail sort by date disappeared

          Hello, We used to be able to sort the emails by date in the sent folder, but this feature has recently disappeared. Can we bring it back?

        • I cannot check out to Zoho People.

          When I tried to check out today, there's prompt that inhibits me to check out: To add entry in Attendance, log time for any of your jobs

        • Pricing Strategies: #2 Plan your Service Offerings using Plans

          Meet Harvey & Mia, hailing from the same Tech school, carrying the dream of setting up their own IT maintenance firm in their location. They drew up a clear business plan and put their business in motion on New Year's Eve. They had great reception right

        • Open a record to edit based on another form being edited

          Hi all, I am trying to edit a record based on another record being edited. It works out like this: When I create a Monthly_Update and then submit I open the Monthly_Levels form and pass the ID from the Monthly_Update to a field called mu. I want it to

        • Problem with signature on zoho survey

          Hello, I'm trying to export individual responses with signatures on zoho survey. But the signatures on some of my surveys are not exported as the original image, but as a generic image, same for all (screen joins). Is there a solution to have the signatures

        • Change in Zoho CRM API?

          Hello, I am using the Zoho API trough the PHP SDK v2.1 Since few days, I noticed that I have to change the way I pass the data to the API when I create, update, or upsert a record. Dates Before I was passing a PHP date object to "$record->addKeyValue(...)",

        • MTA - BAD IP reputation by outlook/hotmail

          Messages to Microsoft email servers are bouncing back due to poor reputation. Message: 4.7.650 The mail server [136.143.188.206] has been temporarily rate limited due to IP reputation. For e-mail delivery information see https://postmaster.live.com (S775)

        • QuickBooks Extension for Zoho CRM - Advanced Features -2025

          Hello Everyone, We’re happy to announce the latest version of our QuickBooks Extension for Zoho CRM, now officially live on the Zoho Marketplace! This release introduces one-click data sync, a user-friendly UI, enhanced performance, and a powerful set

        • Changing Department often causes the Firefox tab to freeze

          Title, it doesn't seem to happen with neither Opera nor Chrome. And even in Firefox, sometimes it just lets me change the department I'm in no problem, even to All Departments which is probably the most, like, resource heavy? But most of the time, the

        • Need to integrate Zoho Mail Mobile app with Zoho Meeting Mobile App for Android and Apple

          Hello Zoho Team, Please bring integration of Zoho Mail Mobile app with Zoho Meeting for Android and Apple Thanks

        • ¡Muchas gracias por participar a los Meetups de Usuarios de Zoho! Y Novedades del ecosistema Zoho

          ¡Hola Comunidad de Zoho en Español! 👋 Después de un breve lapso de tiempo, volvemos con una nueva edición de nuestro Community Digest, donde te contamos las novedades de los productos de Zoho en los últimos meses. Estas mejoras se centran en nuestros

        • Anyway to move mail from one account to another yet?

          Hello, Is there any way to move email from one mailbox account to another mailbox account in zoho yet? Thanks, Ryan.

        • Using a CRM Client Script Button to create a Books Invoice

          Hello, I need help handling error messages returned to my client script from a function. The scenario I have setup a client script button which is available from each Deal. This CS executes a crm function, which in turn creates an invoice based on the

        • Building Toppings #2 - Learn how to use Bigin's Developer Console to build toppings

          Hey Biginners, In our last post, we discussed what toppings are, why they're essential to extending Bigin's capabilities, and how the Bigin Developer Center serves as the starting point for building them. As a cloud platform, the Developer Center empowers

        • Proposal for Creating a Unique "Address" Entity in Zoho FSM

          The "Address" entity is one of the most critical components for a service-oriented company. While homeowners may change and servicing companies may vary, the address itself remains constant. This constancy is essential for subsequent services, as it provides

        • Links are incorrect when sent out

          I'm adding in hyperlinks into my eDM. When I send a test email, it's all correct. However, when I send out the eDM, all the hyperlinks jump up one space so none of the links are opening to the correct page. Why is this happening and how can I fix it?

        • Tip of the week #16 - Search and filter threads based on criteria

          Zoho TeamInbox lets you search and filter threads with any information that you have about the thread. You just have to input the criteria and Zoho TeamInbox will list all the threads that match the condition.   Firstly, there is a global search you can

        • Introducing recipient authentication via Stripe Identity in Zoho Sign

          Hi everyone! It's important to authenticate your recipient's identity before they access and sign important documents to ensure the highest level of compliance. Zoho Sign already helps businesses do this with various authentication methods: SMS OTP Email

        • Introducing Multi-Asset Support in Work Orders, Estimates, and Service Appointments

          We’re excited to announce a highly requested enhancement in Zoho FSM — you can now associate multiple assets with Work Orders, Estimates, and Service Appointments. This update brings more clarity, flexibility, and control to your field service operations,

        • Next Page