Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!




      • Sticky Posts

      • Kaizen #198: Using Client Script for Custom Validation in Blueprint

        Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

      • Kaizen #226: Using ZRC in Client Script

        Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

      • Kaizen #222 - Client Script Support for Notes Related List

        Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

      • Kaizen #217 - Actions APIs : Tasks

        Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

      • Kaizen #216 - Actions APIs : Email Notifications

        Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

        • Recent Topics

        • You cannot send this campaign as there is no contact in the selected mailing list.

          We have synced contact lists and sent campaigns just fine prior to today.  Now no matter what list I upload when I go to send the campaign it gives an error "You cannot send this campaign as there is no contact in the selected mailing list." And now it

        • Pivot Report Formula - using a today() variable

          Is it possible for me to use a value of today() in a formula on a pivot table? I'm trying to identify where the end date of a project is greater than the current date if("10. Projects (Zoho Projects).End Date" > today(), 'Yes', 'No') I get the error that

        • Cannot connect IMAP to outlook

          Hello I have followed the instructions to connect my zoho account to Outlook IMAP but get this message: Session Id: bba118fb-151c-824f-9512-3ad1e91b109d Timestamp: 1708976566964 Error code: INVALIDCREDENTIALS INTERACTIONREQUIRED I'm using the exact configeration

        • Department Overview by Modified Time

          We are trying to create visuals to show the work our agents do in Zoho Desk. Using Zoho Analytics how can we create a Department Overview per modified time and not ticket created time? In order for us to get an accurate view of the work our agents are

        • Enhance Sign CRM integration

          Hello all, I'm working on a custom Deluge script to enhance the integration between Zoho CRM and Sign by using a writer merge template for additional flexibility. I want to replicate the post-sign document integration that exists between CRM and Sign

        • Zoho Workdrive download was block by security software

          Hi Team, Recently workdrive download was blocked by huorong security. Could you please advise how to put zoho workdrive as white list? every time we put "*.zohoexternal.com" or "workdrive.zohoexternal.com", the warning msg will still pop in next dow

        • Choosing a portal option and the "Unified customer portal"?

          I am trialling Zoho to replace various existing systems, one of which is a customer portal. Our portal allows clients to add and edit bookings, complete forms, manage their subscriptions and edit some CRM info. I am trying to understand how I might best

        • General feedback

          I think Zoho is at the moment (potentially) the best, or perhaps the only, real online solution, for business, and not just business. Surely the only one that has all the features that I need (and I've probably tried everything, at least all that has a cost-free option). It has still got lots of bugs and imperfect features, so I do hope it keeps developing and becomes a really professional platform. Lots of people (including me) want to use such one platform for all scheduling/mail/note-taking...

        • How to add SSL to Short URL custom domain?

          Hi, I've added a custom domain the the URL Shortener Domains. It's creating the short URL fine, but when clicking through, firstly I get an SSL warning, then a 400 Bad Request warning.

        • Single Portal for Multiple Apps

          Hello, I'm just getting started with Zoho and I'm very overwhelmed. I am currently using the free trial of Zoho One, but if I can figure it out, I intend to upgrade to the paid version. Zoho One, of course, gives me  access to an entire suite of services/applications. One of the things I'd like to do is have a single place for clients (customers?) to log in and view current projects, invoices, contact information, etc. A single login for my clients. A single portal. I've come across documentation

        • Antispam validation failed for your domain in Accounts

          I tried adding a domain to zeptomail.zoho.com, but the “add domain” operation failed. The front‑end error reads: “Domain could not be added. Please contact support@zeptomail.com.” The back‑end API returned: ``` { "error": { "code": "TM_3601", "details":

        • CodeX Scripts for Enforcing Custom Project Logic

          Every organization has a defined way of executing projects. There are clear expectations around how tasks should move, when projects should progress, and which actions require validation. When these rules are consistently followed, projects remain structured

        • Cancelled appointments still block out timeslot

          I haven't had to test this before, but I've just found a problem. I had an appointment in a certain timeslot, and that appointment was cancelled. However, Bookings won't let another appointment be booked in that slot - it makes that time unavailable until

        • Preventing Group Emails From Being Sent to Group Member Personal Mail

          We have a group setup for a public facing email address. We have streams turned on for this group. Right now when an email is sent to this group email it hits the group stream and also sends a copy of the email to all group members. We'd like to disable

        • Unusual activity detected from this IP. Please try again after some time.

          Hello Zoho admin and IT team We are a registered website in Eloctronic services and we been trying to add our users to the zoho system but this issue faced us ,, hope you unlocked us please.

        • ¿Puedo migrar mi sitio desde WordPress a Zoho? ¿Zoho admite herramientas con código personalizado?

          ¡Hola comunidad! Estoy evaluando la posibilidad de migrar mi sitio web https://calculadoradenotas.cl/ desde WordPress a una solución Zoho, y tengo algunas dudas técnicas que espero puedan aclararme. Mi sitio no es solo informativo: es una herramienta

        • How do I link my invoice to an estimate?

          There has been instances where I have created estimates, however, invoices for the same estimate were created independently. The status of these estimates hasn't converted to 'invoiced'. 

        • Impossible to import Journal from Freshbooks

          I have been trying to import journals from Freshbooks since August 30th. Every time I try to import, I get an error message. I have already made sure every row has a date. First it was saying the account and notes had unexpected input and that every debit/credit

        • Peppol: Accept Bill (Belgium)

          Hi, This topic might help you if you're facing the same in Belgium. We are facing an issue while accepting a supplier bill received by Peppol in Zoho Books. There is a popup with an error message: This bill acceptance could not be completed, so it was

        • Convert invoice from zoho to xml with all details

          How to convert an Invoice to XML format with all details

        • Prevent subform editing on a module's detail's page

          Hi everyone, We would like to prevent any editing of the subform data in the : Create page Edit page Details page (as subform editing is now allowed by the recent UX update) We are able to prevent editing by making the subform fields read only in the

        • Weekly Tips : Save Time with Saved Search

          Let's assume your work requires you to regularly check emails from important clients that have attachments and were sent within a specific time period. Instead of entering the same conditions every time—like sender, date range, and attachments included—you

        • Discontinuing Zoho ShowTime service on May 30, 2026

          Hello everyone, As a follow-up to our earlier announcement, we’d like to share an important update regarding Zoho ShowTime’s discontinuation timeline. Zoho ShowTime, our online training platform, reached its end of life on December 31, 2025, and its services

        • Ability to CC on a mass email

          Ability to CC someone on a mass email.

        • Bookings duration - days

          Hi team, Is there any way to setup services/bookings that span multiple days? I am using Zoho Bookings for meeting room bookings. Clients may wish to book a room for more than one day, for up to a month.  If not, is there a plan to allow services to be setup with durations of Days as well as hours and minutes? Many thanks, Anna.

        • Customer address in Zoho Bookings

          Hello,  Is it possible to add customer address information to the Zoho bookings appointment screen? Or have it pull that information automatically from the CRM? We are wanting to use this as a field management software but it is difficult to pull the address from multiple sources when it would be ideal to have a clickable address on the appointment screen that opens up the user's maps.  It would also be advantageous for the "list view" to show appointment times instead of just duration and booking

        • Feature Request - Allow Customers To Pick Meeting Duration

          Hi Bookings Team, It would be great if there was an option to allow customers to pick a duration based on a max and minimum amount of time defined by me and in increments defined by me. For example, I have some slots which are available for customers

        • New feature: Invite additional guests for your bookings

          Hello everyone, Greetings from Zoho Bookings! We are happy to announce the much-awaited feature Guest Invite, which enhances your booking experience like never before. This feature allows additional participants to be invited for the bookings to make

        • Changing the owner of a call

          Am I correct in my conclusion that I cannot change the owner of a call in Zoho? The field does not show up in the screen, nor can I make it show up as the systems does not give me that option. I cannot "mass update" it either. I tried it, but Zoho refuses to change the name of the owner. Please help out: how do I change the owner of a call.

        • Unified Notes View For Seamless Collaboration

          To facilitate better coordination among different departments and team members, the notes added to a record can now be accessed in all its associated records. With this, team members, from customer service representatives to field technicians, can easily

        • Remove Profiles from "Forecast" Module

          How can I remove Profiles from My forecast Module? Image Below The only revenue generators are the VP's, and the Estimation Managers, and the Estimators subordinate to the Est. Managers. How can I remove the unused Profiles? Its frustrating to see them

        • Restoring records from the recycle bin programatically

          Background I'm working on a piece of software to automate conversion of Leads into Deals based on order status from my company's website. The process is mostly complete, right now I'm just working on handling a few edge cases to ensure data integrity.

        • Does Zoho Learn integrate with Zoho Connect,People,Workdrive,Project,Desk?

          Can we propose Zoho LEarn as a centralised Knowledge Portal tool that can get synched with the other Zoho products and serve as a central Knowledge repository?

        • Create static subforms in Zoho CRM: streamline data entry with pre-defined values

          Last modified on (9 July, 2025): This feature was available in early access and is currently being rolled out to customers in phases. Currently available for users in the the AU, CA, and SA DCs. It will be enabled for the remaining DCs in the next couple

        • Invoices not arriving and mail server settings

          I am having an issue where some clients are not receiving invoices. I have configured Zoho Books to send on my behalf and configured the appropriate SPF, DKIM and DMARC settings on my mail server and tested these as working. I get the CC'd copies so I

        • SalesIQ Identity Update for Logged In Wordpress User

          Hey folks, SalesIQ does not automatically detect when a visitor logs in to WordPress and update their identity to match. For example, if a client of ours visits the site and logs in, SalesIQ will not track them correctly by default. The Solution The solution

        • Paragraph spacings in Zoho Notebook are double-spaced only. Is there a way to keep the original spacing format?

          Sorry I don't know the proper terminologies but the best way I can put it is all single-spaced paragraphs that I copy to Zoho Notebook become double-spaced paragraphs. It's very inconvenient and counterproductive when copying and pasting things from and

        • Changing line space in Notebook

          My lines are double spaced. How do i change to single space?

        • Plug Sample #14: Automate Invoice Queries with SalesIQ Chatbot

          Hi everyone! We're back with a powerful plug to make your Zobot smarter and your support faster. This time, we're solving a common friction point for finance teams by giving customers quick access to their invoices. We are going to be automating invoice

        • Workdrive on Android - Gallery Photo Backups

          Hello, Is there any way of backing up the photos on my android phone directly to a specific folder on Workdrive? Assuming i have the workdrive app installed on the phone in question. Emma

        • Next Page