Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!




      • Sticky Posts

      • Kaizen #217 - Actions APIs : Tasks

        Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

      • Kaizen #216 - Actions APIs : Email Notifications

        Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

      • Kaizen #152 - Client Script Support for the new Canvas Record Forms

        Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

      • Kaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script

        Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.

      • Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI

        Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over the

        • Recent Topics

        • Printing Client Lists

          I was looking for a way to print out client lists based on the account. For example if I want all my contacts from company A on one sheet, how would I do this. Moderation Update (3rd December 2025): There are two challenges discussed in this thread. 1.

        • Qwen to be the default open source Generative AI model in Zoho Desk

          Hello everyone, At Zoho Desk, we will make the latest Qwen (30B parameters) the default LLM for our Generative AI features, including Answer Bot, Reply Assistant, and others. As a subsequent step, we will discontinue support for Llama (8B parameters).

        • ZOHO Blueprint and Workflow

          Hi, Correct me if i'm wrong, Blueprint triggers when a record that meets the criteria is created. It follows a specific transition that you will be setting up. Does blueprint work if the first state was triggered by a workflow? For example, In my custom module 1, I have a field named status. The statuses are 1, 2, 3 and 4. As soon as I create a new record, a workflow triggers that updates the status field to 1. Can a blueprint start from 2? My other concern is, can blueprint transitions work at the

        • Zoho CRM Participants Automatic - Invite Using Deluge

          Hi Zoho! Is there a way to make the invitations automatic via API? I'm using this one but it doesn't work or reflect in the CRM: participantUser = Map(); participantUser.put("type","email"); participantUser.put("participant",email); participantUser.put("invited",

        • Work Order Assignment for Engineers Handling Their Own Requests

          I’m setting up FSM for a business where there are multiple engineers, but each engineer handles their own process end-to-end receiving the service request, creating the work order, and completing the field service job. I noticed that I must create an

        • Experience Zoho Show on Mac now!

          Work today isn’t tied to a single place, time, or routine. It happens in cafes between meetings, on flights, or late at night when ideas strike. And when ins, your tools need to be ready, wherever you are. That’s why we built the Zoho Show app for Mac.

        • 【開催報告】東京 ユーザー交流会 Vol.4 | Zoho CRM 自動化のコツ ・Bookings のビジネス活用シーンとおすすめ機能を紹介

          ユーザーの皆さま、こんにちは。コミュニティチームの藤澤です。 11月28日(金)に新橋で「東京 ユーザー交流会 Vol.4」を開催しました。ご参加くださったユーザーの皆さま、ありがとうございました。ユーザー交流会の年内開催は、今回が最後でした。 この投稿では、当日のセッションの様子や使用した資料を紹介しています。残念ながら当日お越しいただけなかった方も、ぜひチェックしてみてください😊 ユーザー活用事例セッション:関数やクライアントスクリプトまで、CRMをもっと便利に Zoho CRM には、ワークフローやブループリントなど、さまざまな自動化に役立つ標準機能が備わっています。さらに、関数(Deluge)のようにスクリプトを記述して高度な自動化を実現することもできます。

        • Kiosk Button Actions

          I need to add an action to a Kiosk Button to loop me back to start the kiosk again and I am not sure what that looks like (function, etc.).

        • [Webinar] Automate generation of wills, trusts, POAs, and other estate planning documents with Zoho Writer

          Managing the lifecycle of the estate planning documents such as wills, trusts, and POAs, from client intake to final storage, can be complex and time-consuming. Join our live webinar to learn how Zoho Writer transforms this process by automating document

        • Dependent drop-downs... how?

          Good day. I have 2 different situations where I need a dependent drop-down field. First is for a subform, where I want to show related fields for a specific customer on the main form. In my case it is a parent whose children make use of our school transport

        • Reporting Limitation on Lead–Product Relation in Zoho CRM

          I noticed that Zoho CRM has a default Products related list under Leads. However, when I try to create a report for Lead–Product association, I’m facing some limitations. To fix this, I’m considering adding a multi-lookup field along with a custom related

        • Series Label in the Legend

          My legend reads 'Series 1' and 'Series 2'. From everything I read online, Zoho is supposed to change the data names if it's formatted correctly. I have the proper labels on the top of the columns and the right range selected. I assume it's something in

        • Dynamic Signature - Record owner

          Hi everyone, I’m using Zoho Writer merge templates from Zoho CRM and have two questions: Owner signature: How can I automatically insert the CRM record owner’s signature in the merged document? I’m not sure where this signature is stored or how to reference

        • Set Warehouse based on Vendor

          Greetings. I would like to set automaticaly the Warehouse based on the Vendor. Context: I am working on an adaptation of a Purchase Order to be used as a Quotation. I have defined that when a user has to raise a quote the Vendor will be "PROCUREMENT" I would like to set the Warehouse to a predefined value when "PROCUREMENT" is set as Vendor. I have tried to do with the Automation feature using the Field Update option, but Warehouse does not is listed as a field. Can you help? Thanks in advance.

        • Printing from Zoho Creator hosted on my own server to printers hosted on my clients local network

          Hello. Fairly new to Zoho Creator and looking for best options to be able to print from my application hosted on my own server to any printer hosted on my clients own local network. Any advice is welcome. Thank you.

        • Add System Pre-Defined Lookup Field to Subform?

          Hi there! New to using Zoho, so this may already exist, but I'm having trouble figuring it out. Is there a way to get the system pre-defined Account Lookup field (in our case, renamed to Company Name), as the starting point for a subform? In our company,

        • Numbered / bullet point List in Zho Cliq

          Hi, is there a way to format chat messages in Cliq like this Topic 1 Hey, I finished this project yesterday etc... Topic 2 I am still working on this etc...

        • Cannot Access Subform Display Order in Deluge

          As highlighted in this community post, we still have to deal with the significant limitation of not being able to access the user-sorted order of subform rows through Deluge. This creates a major disconnect between the UI capabilities and backend automation,

        • How many groups in Zoho Mail can I make?

          I'm currently on the free plan, which has a limit of 10 users. Does that limit includes groups too? If not, what is the limit for groups? Thanks!

        • Feature Suggestion for Zoho Social: Auto-reply to Comments or Keywords

          Hi Zoho team, I'd like to suggest a very specific feature that would be extremely helpful for customer engagement: the ability to automatically send a reply to comments on posts — either all comments or those containing specific keywords. For example,

        • My domain did not activate

          Hi, my domain (apsaindustrial.com.ar) did not activate, and the phone verification message never arrived. Please would you solve this problem? Thanks.

        • Already have Zoho account. Not letting me log in

          I already have a Zoho account that is associated with my Google email and my phone number. Even though I'm already logged in to Zoho, when I click on the mail icon to access my email, it takes me to the pricing page. When I click on the free option, it

        • ZOHO Mail App Not working

          There seems to be an issue with Zoho Mail App today. It is not connecting to server, internet is working fine, tried uninstalling app and reinstalling, loading circle keeps spinning round. Is there an update on the way?

        • facing error 550 5.4.6 while sending emails

          Please help me fix this issue

        • Allow Itemization for Recurring Expenses

          For whatever reason, one cannot itemize a Recurring Expense. This capability should be added. The use cases to support this are largely the same as what they were to allow for itemization in Expenses. Anything that would need to be itemized for a regular

        • Zoho reply to not working. just reply to my self

          Hello. i using on my wordpress website a contact form from Wsform. i can set the reply to email there. normally it works. but since i am using your wordpress plugin zoho mail it doesn`t work. its not using the reply to (email from customer). I just can

        • Painfully Slow Zoho mail

          Since yesterday Zoho Mail seems to have starting functioning very slowly and having a few bugs. It's slow to open mails, slow to send, slow to change between email accounts. Sometimes clicking on a particular folder (eg Sent folder) stops working and

        • Can't receive any email from other platform

          Hello,everyone, i'm just join zoho and create two email accounts for my own business. I was using it to get a verified email from stripe, but can't receive it. and I use my private gmail account to send test email twice, first time show below reply, but

        • Your Incoming has been blocked and the emails will not be fetched in your Zoho account and POP Accounts

          Can some on help me regarding our account . thank you so much

        • Zoho Creator integration with Sage 50

          Hi, Wondering if anyone has had any experience connecting Zoho to Sage 50 and could share any information on this matter. Thank you.

        • Conditional Email Forwarding

          How can I set conditional email forwarding of the users? For example: Mail should be forwarded to a address only if it comes from a particular sender. So, I want such email forwarding, which forwards mails based on particular conditions, like the incoming

        • Incoming emails not appearing in Inbox

          Hello, I have an issue with incoming emails sent from my website (domain: h2ostop.si). Emails are visible in the Sent folder, which means they are successfully sent through Zoho SMTP, but they never appear in my Inbox. Nothing arrives in Inbox, Spam,

        • Automatic Matching from Bank Statements / Feeds

          Is it possible to have transactions from a feed or bank statement automatically match when certain criteria are met? My use case, which is pretty broadly applicable, is e-commerce transactions for merchant services accounts (clearing accounts). In these

        • Email Opt Out Question

          Has the problem where if a customer is emailed opt out prevents you sending standard emails? For me this feature is simply to stop any email marketing and should not block people from receiving emails via Zoho mobile, which makes no sense.

        • Can No Longer Access Zoho Email Accounts from iPhone or iPad Apple Mail Apps ,.

          Keeps asking for password, Says ID or password incorrect. Tried creating a new app specific password. Same result. Is this possibly related to the server maintenance. Have verified all email settings, userid and password. This has worked for years until

        • Latest update caused issue in using marathi typingzoho

          With latest update now marathi typing does Not work in zohonotebook. I preferred zoho over other because it was supporting marathi font without any distortion.. But after new update,keyborad simply does not work

        • Login verification emails never received.

          I can't login to my account. You send a verification email, but it never arrives. This is a common problem, frequently caused by some relay point out there classifying the sender as a spammer. Is there anything I can do to bypass this? Maybe get a text

        • Global lists for Multi select

          It would be great if I could select a global list to use for a multi select dropdown filed.

        • Yahoo is rejecting e-mails sent from a Zoho server

          Diagnostic-Code: 4.7.0 [TSS04] Messages from 136.143.169.51 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes Remote-MTA: dns; mta5.am0.yahoodns.net

        • Yahoo blocks e-mail sent from Zoho servers

          Getting this for a bunch of Yahoo addresses. Do you know if some of your servers got blacklisted? Diagnostic-Code: 4.7.0 [TSS04] Messages from 136.143.169.51 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes

        • Next Page