Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!




      • Sticky Posts

      • Kaizen #198: Using Client Script for Custom Validation in Blueprint

        Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

      • Kaizen #226: Using ZRC in Client Script

        Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

      • Kaizen #222 - Client Script Support for Notes Related List

        Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

      • Kaizen #217 - Actions APIs : Tasks

        Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

      • Kaizen #216 - Actions APIs : Email Notifications

        Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

        • Recent Topics

        • Canvas View bug

          I would like to report a bug. When clone a canvas view from an existing canvas view, if the original canvas view have canvas button with client script. Then the new create canvas view will have canvas button, it is make sense. But when I try to delete

        • Export blueprint as a high-resolution PDF or image file

          This would be a good feature for organizations that want to share the blueprint process with their employees but don't want them to have access to the blueprint in the system settings. At the moment all that users can do is screenshot the blueprint or

        • Zoho Recruit Community Meetup - London 🇬🇧 (Venue Finalised)

          Hello Recruiters! We’re excited to announce that the Zoho Recruit team is coming to the UK for an in-person Zoho User Group (ZUG) Meetup in London! This is your chance to connect with fellow Zoho users, learn from experts, and walk away with actionable

        • Is Zoho down today?

          I can't do a single thing. I tried changing some views and reports and got "undefined" - then I tried editing a form, got "undefined' - started a new form and can't add any fields as when I drag and drop it also says "undefined." What is going on? HELP.

        • How to create estimates/Invoices with sub-totals

          Every other accounting package can create estimates and invoices with Sub-totals. How can I do that in ZohoBooks?

        • 【参加無料】東京 Zoho ユーザ交流会 NEXUS ー AI エージェント (Zia Agents)の活用事例 / CRMで実現するマーケティング業務効率化

          ユーザーの皆さま、こんにちは。コミュニティチームの藤澤です。 3月27日(金)に東京、新橋で「東京 Zoho ユーザー交流会 NEXUS」を開催します! ーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーー ✒️申し込みはこちらから:https://www.zohomeetups.com/tokyo2026vol1#/?affl=communityforumpost2 ーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーー ★参加のおすすめポイント ✅ AIエージェント(Zia)のリアルに使える実例を知る

        • Python - code studio

          Hi, I see the code studio is "coming soon". We have some files that will require some more complex transformation, is this feature far off? It appears to have been released in Zoho Analytics already

        • 🚀 WorkDrive 6.0 (Phase 1): Empowering Teams with Content Intelligence, Automation, Accessibility, and Control

          Hello, everyone! WorkDrive continues to evolve from a robust file management solution into an intelligent, secure, and connected content collaboration platform for modern businesses. Our goal remains unchanged: to simplify teamwork, strengthen data security,

        • Support Custom Background in Zoho Cliq Video Calls and Meetings

          Hello Zoho Cliq Team, We hope you are doing well. We would like to request an enhancement to the video background capabilities in Zoho Cliq, specifically the ability to upload and use custom backgrounds. Current Limitation At present, Zoho Cliq allows

        • ISO 27001 Compliance

          What are people doing to ensure ISO 27001 compliance for their Zoho environments? It would make sense for Log360 Cloud to integrate natively with the Zoho suite, but that is not the case. It requires a gateway cluster, which is not an option for a fully

        • Zoho People - Retrieve the Leave Details - get("LeaveCount")

          Hi, Zoho People I need to collect all of an employee's leave requests for the calendar year and check how many half-days they have taken. If I run the script on the query he just modified, I can retrieve the information related to that query and use the

        • What's new in Zoho Sheet: Simplify data entry and collaboration

          Hello, Zoho Sheet community! Last year, our team was focused on research and development so we could deliver updates that enhance your spreadsheet experience. This year, we’re excited to deliver those enhancements—but we'll be rolling them out incrementally

        • Marketer's Space: New to Campaigns? Some common early mistakes that might occur

          Hello Marketers, Welcome back to another post in Marketer's Space. If you're just getting started with Zoho Campaigns, things can feel exciting and slightly confusing at the same time. You're not alone. Most early frustrations come from setup gaps rather

        • This user is not allowed to add in Zoho. Please contact support-as@zohocorp.com for further details

          Hello, Just signed up to ZOHO on a friend's recommendation. Got the TXT part (verified my domain), but whenever I try to add ANY user, I get the error: This user is not allowed to add in Zoho. Please contact support-as@zohocorp.com for further details I have emailed as well and writing here as well because when I searched, I saw many people faced the same issue and instead of email, they got a faster response here. My domain is: raisingreaderspk . com Hope this can be resolved.  Thank you

        • Workflow Rule - Field Updates: Ability to use Placeholders

          It will be great if you can use placeholder tags to update fields. For example if we want to update a custom field with the client name we can use ${CONTACT.CONTACT_FIRSTNAME}${CONTACT.CONTACT_LASTNAME}, etc

        • Need a Universal Search Option in Zohobooks

          Hello Zoho, Need a Universal Search Option in Zohobooks to search across all transactions in our books of accounts. Please do the needful Thanks

        • Implement Date-Time-Based Triggers in Zoho Desk

          Dear Zoho Desk Support Team, We are writing to request a new feature that would allow for the creation of workflows triggered by specific date-time conditions. Currently, Zoho Desk does not provide native support for date-time-based triggers, limiting

        • Why is my Lookup field not being set through Desk's API?

          Hello, I'm having trouble setting a custom field when creating a Ticket in Zoho Desk. The endpoint I'm consulting is "https://desk.zoho.com/api/v1/tickets" and even though my payload has the right format, with a "cf" key dedicated to all custom fields,

        • How exactly does "Reply assistance" work in Zoho Desk? What context is sent to the LLM?

          Hi, Im trying to better understand the technical behavior of the feature "Reply assistance" in Zoho Desk, and I couldn’t find detailed information in the current documentation. Specifically, I have questions about what data is actually being sent to the

        • Deletion Workflows

          Hello, Unless I missed it, we can't create deletion workflows. My usecase is to auto-delete junk leads. We have field called lead status, and an agent qualify all our new leads. When it's a junk lead she chose the correspondant value in the picklist. My goal is that the system delete them automatically. Is that possible? Planed ?

        • URGENTImpossible to book an appointement

          J'essaie plusieurs fois mais aucun créneau n''est disponible Message d'erreur lorsque j'essaie de sélectionner une date

        • Sendpulse SMTP/IMAP Issues

          It’s possible Zoho made some changes on their side. Sometimes, even if your regular password works, Zoho requires an app-specific password for external apps like SendPulse to connect via IMAP. You can create this in Zoho’s security settings and use it

        • Insane mail security

          I cannot access my email... anywhere. For some reason the password for the Mail app on my Mac is being rejected, it worked yesterday but now it doesn't? Ok let's try the web interface. I can access my general Zoho login with the password but if I want

        • Task list flag Internal/External for all phases

          Phases are commonly used in projects to note milestones in the progression of a project, while task lists can be used to group different types of tasks together. It makes sense to be able to define a task list as either internal or external however the

        • HAVING PROBLEM WITH SENDING EMAIL

          Hi all, I'm unable to receive emails on info@germanforgirls.eu. I'm getting an error code 550. 5.1.1. invalid email recipients. Moreso, I would like info@germanforgirls.eu to be the default "send from" email and not solomon@germanforgirls.eu. Kindly see

        • Sharing my portal URL with clients outside the project

          Hi I need help making my project public for anyone to check on my task. I'm a freelance artist and I use trello to keep track on my client's projects however I wanted to do an upgrade. Went on here and so far I'm loving it. However, I'm having an issue sharing my url to those to see progress. They said they needed an account to access my project. How do I fix this? Without them needing an account.

        • Different Task Layouts for Subtasks

          I was wondering how it would be possible for a subtask to have a different task layout to the parent task.

        • Subscription went to default (@zoho.com) address instead for custom domain

          Hello! So I bought a lite sub to test things out, wanting to use my own domain. However, after passing through all the verification steps (completed now), it seems that the sub I bought was assigned to the default email that I already had with Zoho and

        • Canvas templates and font-family

          i dont understant why its always the smallest things that waste all of my time! why in some videos i see they have tamplates in the Canvas editor and i cant seem to fint it? and why oih why cant i cange the font? i just want simple Arial! help meeeeeeeeee

        • Re: Ca.gory groups and not all email addresses being added to a group emails

          Hi, I have added emails under 'Contacts' into categories but when sending a group email and putting the category name in not all email addresses go onto the email. I have refreshed the page, deleted and redone the info etc with no luck. I only found out

        • IMPORTANT

          Dear Zoho Support Team, I am currently experiencing an issue when trying to send emails from my Zoho Mail account. Each time I attempt to send a message, I receive the following error: "Unable to send message; Reason: 554 5.1.8 Email Outgoing Blocked."

        • Able to Send Emails from Zoho but Not Receiving Emails from Gmail

          Hello, I am experiencing an issue with my shopify domain email setup and would appreciate your help. Current situation: I can successfully send emails using Zoho. I can receive emails from some services (for example, Facebook). However, I cannot receive

        • Announcing new features in Trident for Windows (v.1.38.5.0)

          Hello Community! Trident for Windows just received a major update, with a range of capabilities that focuses on strengthening and enhancing communication. Let’s dive into what’s new! View complete technical email details. For those who need deeper visibility

        • Accounting of Amazon

          I have recently started selling on Amazon.in and I am facing issues with different types of transactions: What entry to do in case of return? If I had sent two products and customer returned both the products but I had received only one and got the claim

        • Compose Emails Faster Using Templates and Snippet

          Hello everyone, We have made an enhancement to the Send as Email option in Tickets. Agents can use templates and snippets to draft their response, which helps save time and maintain consistency. The Send as Email page will display the available templates

        • Customize Colors used on graphs and charts according to users desire.

          It would be great if we could customize the graph's colors as we see fit. I hate that yellow is always the default color!

        • Emails not integrating

          My emails from Hubspot did not integrtate over. How do I fix that?

        • Creating meetings from an email

          Hi. Similar to Outlook, it would be helpful if a meeting can be scheduled from an email so that the attendees need not be manually entered every time it's created.

        • Want to use Zoho Books in Switzerland. CHF support planned?

          Hi, We're a Swiss company using other Zoho suite software and I discovered Zoho Books and other accounting SaaS when looking for an accounting tool. Do you intend to cover Switzerland and CHF based accounting anytime soon? Roy

        • RouteIQ for Zoho FSM

          Beste, Zou wel top zijn dat we een RouteIQ hebben voor FSM aangezien we constant moeten zien wat de beste route is voor onze monteurs. Nu moeten we een speciale aparte programma hebben om de beste route te berrekenen voor onze monteurs aangezien de planning

        • Next Page