Kaizen #43 - Tokens and Limitations

Hello everyone!

Welcome back to yet another post in the Kaizen series.

This week, we will discuss the usage of tokens in authorizations and their limitations.

Tokens in OAuth 2.0

Zoho CRM employs the OAuth 2.0 authorization model to authorize its API requests. Grant token, access token, and refresh token are the three major components that play an important role in the authorization process. Initially, the user needs to register a client with Zoho CRM. After registration, the user can generate grant tokens depending on the operation they plan to perform.

The grant token then assists in generating the access and refresh tokens. The access token is passed as a bearer token in every API request made. An access token is valid only for 3600 seconds or 60 mins. Once the access token expires, a new access token can be generated using the refresh token.

Figure - OAuth 2.0 Overview

Token Limits

An important aspect of tokens is that they hold a limit over the number of tokens that can be generated in a given period, and the number of active tokens at a given time. Let us discuss some major limitations concerning the tokens.

Token Name	Number of tokens per 10 minutes	Maximum number of concurrent active tokens	Note
Grant Token	10	-	-
Access Token	10 per refresh token	15	Creation of the 16th token deletes the first.
Refresh Token	10 per user per client	20	Creation of 21th token deletes the first. The access token created from the first refresh token gets deleted as well.

What if you exceed the allowed limit?

The status code for the requests that are made after exceeding the allowed limit remains 200. However, the message for such requests says "Access Denied", thus restricting any further token generation.

We hope you found this post useful. Let us know your thoughts in the comment section or reach us out at support@zohocrm.com.

Cheers!

Zoho Desk Resources

Desk Community Learning Series
Digest
Functions
Meetups
Kbase
Resources
Glossary
Desk Marketplace
MVP Corner
Word of the Day

Sticky Posts
Client Script | Update - Introducing Commands in Client Script!
Have you ever wished you could trigger Client Script from contexts other than just the supported pages and events? Have you ever wanted to leverage the advantage of Client Script at your finger tip? Discover the power of Client Script - Commands! Commands
Kaizen #165 : How to call Zoho CRM APIs using Client Script
Welcome back to another exciting Client Script post! In this post, we will discuss one of the most frequently asked questions: How do you call Zoho CRM APIs from Client Scripts? In this kaizen post, 1. Ways to make calls to Zoho CRM APIs using Client
Kaizen#162 : Add Tags and Open Pre-filled Email Drafts via Client Scripts
Hello everyone! Welcome to another informative Kaizen post. In this post, let us see how to accomplish the following using Client Script. 1. How to auto-tag a record based on field update? 2. How to Open a pre-filled email draft This post will provide
Extension Pointers - JS SDK series #4: Managing data from a widget using ZOHO.CRM.HTTP
Handling and managing the data between two applications is a major factor for an efficient business. There are a variety of ways to handle data between Zoho CRM and other third-party applications. You can use deluge CRM tasks, create connectors, use API
Kaizen #152 - Client Script Support for the new Canvas Record Forms
Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved