Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!




      • Sticky Posts

      • Kaizen #217 - Actions APIs : Tasks

        Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

      • Kaizen #216 - Actions APIs : Email Notifications

        Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

      • Kaizen #152 - Client Script Support for the new Canvas Record Forms

        Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

      • Kaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script

        Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.

      • Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI

        Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over the

        • Recent Topics

        • Working with dates and Function Field

          Hello friends! I'm trying to add days to a date, however the field function will always shows 00:00:00 after the resultant date. How can I display only the date, whithout the time? toDate(input.request_date.addDay(input.Prazo_acordado),"MM,d,yyyy") The code above will result something like "11-Feb-2020 00:00:00", but I want to display only "11-Feb-2020"

        • What's New in Zoho Analytics - November 2025

          We're thrilled to announce a significant update focused on expanding your data connectivity, enhancing visualization capabilities, and delivering a more powerful, intuitive, and performant analytics experience. Here’s a look at what’s new. Explore What's

        • Unable to send message;Reason:550 5.4.6 Unusual sending activity detected. Please try after sometime.

          Please help my account got blocked automatically, can you help me how to avoid it? Thanks so much

        • Unusual activity detected from this IP. Please try again after some time

          When i try to create new addresses on my account i am getting this error, it has been 24 hours now and i am still getting this error can anyone help

        • temporary system errorlouis

          J'essaye d'envoyer des mails avec mes 2 adresses mail qe nous avons sur le compte arthur@lepunch.fr et louis@lepunch.fr mais j'ai toujours le message temporaire system error, je reçois les mails mais impossible d'en envoyer a qui que ce soit

        • How to Cancel/Delete Queued Mail Merge?

          Hi. I just tried to do a mail merge before realizing there's a limit on number of sends. I accidentally sent one of my lists twice, and all of those emails are currently queued. Is there any way to cancel or delete a queued mail merge? Would love to be

        • Need to add a new admin for my domain

          Hello Zoho Support, I am the owner of the domain localeistanbul.com. The current super admin account (admin@localeistanbul.com) is not accessible. I do not want to reset or delete the existing account because I need to keep all existing emails. Please

        • Possible Fraud Site.

          Hello. I received a text with the sender's name as zoho, claiming that my account was at risk and that I should sign in at https://verify.zohomails.ru/signin to verify my account. I signed in on the web address above, and a few days later someone hacked

        • Zoho mail to Teaminbox

          Hello, We're searching for new mail program. Now I'm testing a bit with zoho mail and team inbox. My findings in the research: Pop mail throught zoho mail is almost instant. Any pop or imap via external provider takes a couple minutes to 15 minutes before

        • Crear tarea CRM con recordatorio desde Zoho Flow

          Hola, estoy intentando crear desde Zoho Flow una tarea en CRM. Lo he logrado hacer pero sin recordatorio, ya que no se como se debe escribir el string adecuado. He probado varias alternativas, pero ninguna me funcionó hasta ahora. - FREQ=NONE;ACTION=EMAIL;TRIGGER=DATE-TIME:${FechaVto}

        • Inquiry Regarding Automated Assignment of Zoho TeamInbox Messages using Zoho Flow and Deluge

          Hello, Our company is currently using Zoho TeamInbox, and we are interested in automating the assignment of responsible parties using tools such as ZOHO Flow and Deluge. Is it possible to achieve this? Allow me to provide more details. Currently, when

        • Upgrade Zoho Desk Agent-Side Answer Bot to GenAI

          Hello Zoho Desk Team, We hope you're doing well. Following the recent announcements and rollout of the GenAI-based Answer Bot in Zoho SalesIQ (Nova '25), we’d like to formally request a similar upgrade for the Answer Bot used by agents inside Zoho Desk.

        • Marketers' Space: The importance of warming up your sender domain

          Hello Marketers, Welcome back to yet another post! Today, we'll talk about why warming up your sender domain matters. Imagine you've recently started a business and want to share the news with your customers. You've designed a great email campaign using

        • An Exclusive Session for Zoho Desk Users: AI in Zoho Desk

          A Zoho Community Learning Initiative Hello everyone! This is an announcement for Zoho Desk users and anyone exploring Zoho Desk. With every nook and corner buzzing, "AI's here, AI's there," it's the right time for us to take a closer look at how the AI

        • Search Just Got Smarter in Notebook

          Hello there! Introducing Our New & Improved Search Experience! We heard your feedback! Many of you shared that our previous search had some challenges like • Inconsistent results across different clients • Limited accuracy in finding the right content

        • Zoho Desk app update - AI Integration for IM Chats

          Hello everyone! We have now introduced AI integration for IM Chats within the Zoho Desk mobile app. To access the feature, please enable the 'Generative AI' settings on the desktop site(desk.zoho.com). Please refer to the help link attached below: Zoho

        • Open A.I assistant Connect with Zoho Desk instant Message Conversations

          I would like to know how do I connect my instant messenger in Zoho desk with my Open A.I Gpt Assistant. this is very easy to setup using the Salesiq Zobot but when it comes to Zoho Desk i cannot figure how to make the connection. Ideal workflow Customers

        • Cannot upgrade subscription plan due to payment error message

          Hi Zoho team, This is to request support on an issue I am facing during an upgrade I am trying to make to our company's yearly Zoho subscription. I am trying to add 3 more license to my plan and during the payment phase I get the below error as in the

        • Enhancing Zia's service with better contextual responses and article generation

          Hello everyone, We are enhancing Zia's Generative AI service to make your support experience smarter. Here's how: Increased accuracy with Qwen One of the key challenges in AI is delivering responses that are both contextually accurate and empathetic while

        • Zoho Desk app update: AI powered features

          Hello everyone! We’ve introduced various AI-powered services on the Zoho Desk app. Let's take a look at what's new. Generate Content: Generate Content uses AI to formulate responses based on the your query and provides a ready-to-use reply which can be

        • Bulk update Archived Ticket

          Dear All We would like to update the "Category" values to the new filed. We found the archived Ticket seems to be don't support the bulk action. Do we have any way to update it. Finally, we would to generate a report for our ticket system. Regards I

        • Channel Configuration and Default Channels

          There are some of the default fields that cannot be removed or changed. Examples are the social media ones, such as Facebook. It would be nice to be able to remove these fields as it would be confusing if someone selected this but it's not configure

        • Delay function execute

          I've got a workflow which uses a webhook to send information to Flow, which in return updates a record in Creator. Problem is, by the time this has executed, the rest of my script has run and can't find the (yet to be) updated info in the record. Is there

        • Support www.camcard.com

          Hi, Is it possible CRM Zoho have integrations with https://camcard.com/? Thanks Br, Andy

        • Option to Customize Career Site URL Without “/jobs/Careers”

          Dear Zoho Recruit Team, I hope you are doing well. We would like to request an enhancement to the Career Site URL structure in Zoho Recruit. In the old version of the career site, our URL was simply: 👉 https://jobs.domain.com However, after moving to

        • Can't make a document editable to anyone

          Hey everyone, I am using Zoho Workdrive and trying to share a document so that it is editable by anyone with the link. I am trying to convince people to shift from Google to Zoho, but they don't have accounts yet. When I try to change the share settings

        • Edit Default Print

          What I want to do is create / edit the "Default Print" template without changing the layout I'm using. Currently I can create "Email Templates" but I don't use them for emailing and getting to that selection takes multiple clicks. If an email template could be set to be the Default Print template that would be helpful. I'd also like to print these in bulk but don't see that option (there is a mail merge macro but that goes straight to emailing, not to print or PDF).

        • Widget shows error

          Hi, May I ask why below characters will be auto added into the widget link and how to solve this error? As my widget shows 404 error now. ?serviceOrigin=https%3A%2F%2Fcrm.zoho.com&frameorigin=https%3A%2F%2Fcrm.zoho.com

        • How to print envelope labels from Zoho CRM

          Can anybody give me any clue how to print envelope/package labels directly from Contacts view? Regards, Alexandru Moderation Update: The Canvas Print View, which also facilitates the formatting of mailing labels, is now available! Learn more here: Zoho

        • Data Import: New interface, improved field mapping, and more

          Hello everyone! We’ve redesigned the data import process to ensure accurate field alignment and verify that every column in the uploaded file maps correctly with Desk fields before import. Here's how: Streamlined Import Steps Importing data is now more

        • Address labels

          Hi, we've been searching for a long time for a simple way for our employees to print address labels using a Dymo Label Writer 450. We came up with two alternatives that work, bur aren't really optimal.  First one is WebMerge. Webmerge is a great application that does 100% what we need but it is way too expensive for our needs. We only need to print a couple of labels per month. The second one is the integrated print tool in Zoho CRM, (Print preview) You would think this is the obvious way to do this

        • This domain is not allowed to add. Please contact support-as@zohocorp.com for further details

          I am trying to setup the free version of Zoho Mail. When I tried to add my domain, theselfreunion.com I got the error message that is the subject of this Topic. I've read your other community forum topics, and this is NOT a free domain. So what is the

        • Print Labels

          How can I configure my address to print my labels like this: Name Mailing Address Mailing City, Mailing State Mailing Zip Country Instead of: Name Mailing Address Mailing City Mailing State Mailing Zip Country Thanks!!!!

        • Mailing labels - Improperly formatted

          All I'm trying to do is print one, properly formatted, mailing label. I'm in the Contacts module. In the default "list view" for mailing labels I selected a single client, hit the "more actions" drop down and selected print mailing label. Unfortunately,

        • Printing mailing labels

          The ability to print mailing labels would seem to be an important, basic, function of a good CRM. I find it very surprising that this has still not been addressed adequately by Zoho. When trying to use the existing "mailing label" included: 1. the data

        • Pageless mode needed to modernise Writer

          When we switched from GSuite to Zoho, one of the easiest apps I found to give up, was Docs. In many ways, Writer has always been more powerful than Docs, especially in terms of workflows/fillable forms/etc. However, I went back into Docs because I notice

        • Zoho Projects - Visual improvement to parent and sub-task relationship

          Hi Projects Team, My feature request is to improve sub-task visibility. Please see screenshot below. I really think parent child relationships could be visually improved. Even if the first letter of the parent task was inline with other same level tasks

        • AI Interview Insights: Turn Recorded Interviews into Quick Transcripts & Summaries

          Evaluating interviews shouldn’t require replaying long recordings or taking manual notes. With AI Interview Insights, you can now review complete transcripts and AI-generated summaries of your One-way (Recorded) interviews right inside Zoho Recruit. This

        • API method to get activity feed in Recruit

          Hi community, I'm trying to figure out - is there any API method tto get information about datetime when Recruit/Candidates record tag where added?

        • Printing Mailing labels

          Is there any way to adjust the size of the printing labels? or product would I use to print labels from Zoho? Thanks, Josef Krieger Moderation Update (14th April 2025): We have another post discussing the same topic with votes and feedback from users.

        • Next Page