Kaizen #168 - Incremental Authorization

Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:

• Users are not overloaded with scopes in the initial stage
• Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.

If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 

When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST  {accounts-url}/oauth/v2/token/scopeenhance ?grant_type=update_scopes_token &client_id={client_id} &client_secret={client_secret} &refresh_token={refresh_token}

The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.

Request Parameters 

You should send the initiation request with the below parameters. All parameters are mandatory

• grant_type: Specify the value as "update_scopes_token".
• client_id: Specify the client-id obtained from the API console.
• client_secret: Specify client-secret obtained from the API console.
• refresh_token: Specify the refresh token to which the additional scopes should be appended.

You will receive a response in the below format

{ "access_token": "{scope_enhancement_token}", "token_type": "update_scope", "expires_in": 600 }

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.

Request format

GET {accounts-url}/oauth/v2/token/addextrascope ?response_type=update_scopes &client_id={client_id} &redirect_uri={redirect_uri} &scope={required_scopes} &enhance_token={scope_enhancement_token} &logout=true

Parameters

• response_type: Specify the value as "update_scopes".
• client_id: Specify the client-id obtained from the API console.
• redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
• scope: Specify the scopes of the additional resources for which access is required.
• enhance_token: Scope enhancement token received in the response of the previous initiation request. 
• logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.

When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.

The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response

{redirect_uri}?status=success&scope_enhanced=true

Failure Response

{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!

If you have any questions, let us know in the comment section.

Cheers!

Previous Kaizen: Kaizen #167 - Configuration and Initialization of Zoho CRM Python SDK (V7) for different client types |

Kaizen Collection: Directory | Help document link: Incremental Authorization

• Topic Participants

• Mable Mary M P

  

• Sticky Posts

• Kaizen #222 - Client Script Support for Notes Related List

  Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

• Kaizen #217 - Actions APIs : Tasks

  Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

• Kaizen #216 - Actions APIs : Email Notifications

  Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

• Kaizen #152 - Client Script Support for the new Canvas Record Forms

  Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

• Kaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script

  Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.

• Recent Topics

• is it possible to add more than one Whatsapp Phone Number to be integrated to Zoho CRM?

  so I have successfully added one Whatsapp number like this from this User Interface it seems I can't add a new Whatsapp Number. I need to add a new Whatsapp Number so I can control the lead assignment if a chat sent to Whatsapp Phone Number 1 then assign

• Replace Zoho Invoice with QuickBooks

  We are implementing Zoho FSM for a cleaning business in the US with 50+ field workers. This business has been using Quickbooks for accounting for decades and will not migrate to Zoho Books. A major issue in the integration is the US sales tax calculation.

• Reply and react to comments

  Hi everyone! We're excited to bring to you a couple of new features that'll make your sprint process simpler. A cloud application brings with it an array of social media features that can be efficiently used in your organizational setup. As an agile scrum

• Possible to connect Zoho CRM's Sandbox with Zoho Creator's Sandbox?

  We are making some big changes on our CRM so we are testing it out in CRM's Sandbox. We also have a Zoho Creator app that we need to test. Is it possible to connect Zoho CRM's Sandbox to Zoho Creator's Sandbox so that I can perform those tests?

• 2025 Highlights: A Year of Steady Progress and Significant Developments

  As we come to the end of 2025, let's take a moment to reflect on the significant progress and developments we've made to improve your travel and expense management. In the Spotlight Introducing Online Booking (US edition only - Early access) Enable online

• Hide/Show Subform Fields On User Input

  Hello, Are there any future updates in Hide/Show Subform Fields "On User Input"?

• Zoho Sheet for Desktop

  Does Zoho plans to develop a Desktop version of Sheet that installs on the computer like was done with Writer?

• e-mail bloqueado

  Estou com meu e-mail lucas@peplus.me bloqueado, preciso desbloquear para retorno de usos em minhas atividades.

• ¿Cómo puedo configurar las contraseñas creadas bajo una directiva para que nunca caduquen y no aparezcan como caducadas en los informes?

  ¿Cómo puedo configurar las contraseñas creadas bajo una directiva para que nunca caduquen y no aparezcan como caducadas en los informes? La razón por la cual contraseña estas no deben caducar es porque su actualización depende de mi cliente y no de mí.

• Function #42: Show the actual rate of items on invoices

  Hello everyone, and welcome back to our series! In Zoho Books, you have the ability to create Price Lists, wherein you can mark up and mark down the item rates by a specific percentage or set custom rates. Generally, when you apply a price list to an

• Ability to Set Text Direction for Individual Cells in Zoho Sheet

  Dear Zoho Sheet Team, We hope you are doing well. We would like to request an enhancement in Zoho Sheet that allows users to set the text direction (right-to-left or left-to-right) for individual cells, similar to what is available in Google Sheets. Use

• New in CRM: Dynamic filters for lookup fields

  Last modified on Oct 28, 2024: This feature was initially available only through Early Access upon request. It is now available to all users across all data centers, except for the IN DC. Users in the IN DC can temporarily request access using this form

• Warehouse fast processing

  Hey guys, would anyone be interested in something like the attached image ? If there's any interest I'd be willing to develop it further for others to use, it's much faster than using Zohos native solutions, it can part pack, pack in full, part ship,

• Can't change form's original name in URL

  Hi all, I have been duplicating + editing forms for jobs regarding the same department to maintain formatting + styling. The issue I've not run into is because I've duplicated it from an existing form, the URL doesn't seem to want to update with the new

• Start/Stop Timmer in Chrome Extension

  The chrome extension is great and allows you to do allot however one of the most common things employees working on projects need to do is track their time. Having an easy start/stop timer to track time would be great.

• Invalid collection string

  I haven't changed anything in one of my functions. I'm trying to run it manually and suddenly "Invalid collection string" appears. My code has 6 lines and the error says that the error is on 7th line. Why? What does this error mean? Nothing has been changed

• Zoho Directory 2025: New Features | Security Enhancements | Enriched UI

  Hello everyone, Greetings from the Zoho Directory team! 2025 has been a highly successful year for Zoho Directory. We are delighted to introduce a fresh set of features, an enriched UI, and major product enhancements. These updates aim to deliver a smoother

• Bulk Schedule for Posting TikTok

  Hallo, We have a client whose business is a social media agency specifically TikTok. Currently they are handling 30 TikTok accounts from. I think zoho Social can handle it with Agency License + with Add on 10 Brands. Their concern is related to posting

• zoho people 5 report

  How do I customize my report in Zoho People Report? I understand that I can get the results of multi-table queries through SQL join statements, but I don't know the relationship between each table. I tried to create a report using Attendance User Report

• Leave Report Emailed Weekly

  I am wondering if someone knows how to have a report generated either weekly or monthly or both for department heads and ownership of upcoming employee leave. For instance, it would be nice to get an emailed report on Friday for the upcoming week of who

• Ability to Edit YouTube Video Title, Description & Thumbnail After Publishing

  Hi Zoho Social Team, How are you? We would like to request an enhancement to Zoho Social that enables users to edit YouTube video details after the video has already been published. Your team confirmed that while Zoho Social currently allows editing the

• Zoho Flow Decision Continuing Despite Not Meeting Conditions

  I have a picklist field called Lead Status in the leads module, with the following lead Statuses: New Lead Attempted Contact - 1 Attempted Contact - 2 Attempted Contact - 3 Attempted Contact - 4 Attempted Contact - 5 Attempted Contact - 6 Attempted Contact

• Add RTL and Hebrew Support for Candidate Portal (and Other Zoho Recruit Portals)

  Dear Zoho Recruit Team, I hope you're doing well. We would like to request the ability to set the Candidate Portal to be Right-to-Left (RTL) and in Hebrew, similar to the existing functionality for the Career Site. Currently, when we set the Career Site

• zoho labels api not working

  We're using n8n to automte email reply using zoho api. I'm facing issue with label api. I added the required scopes but its not working. i followed zoho api documentation but didn't work. also, where do i find/how do i create zoho oauth token mentioneeed

• Zoho Books Sandbox environment

  Hello. Is there a free sandbox environment for the developers using Zoho Books API? I am working on the Zoho Books add-on and currently not ready to buy a premium service - maybe later when my add-on will start to bring money. Right now I just need a

• Tip #55- Accessibility Controls in Zoho Assist: Exploring Vision Settings- 'Insider Insights'

  As we approach the end of the year, it’s a good moment to reflect on how we can make our tools more inclusive and easier to use for everyone. Remote support often involves long hours in front of screens, varied lighting conditions, and users with different

• Zoho Recruit Slow and Freezing on all screens

  We have had an issue with Zoho Recruit for weeks being extremely slow and at times freezing.  We have 100 mega internet, and I went into each computer and updated the virtual memory so there is more available.  Also restarted all computers daily.  Still having the issues.  Almost unable to work.

• Credit Management: #2 Configuring Right Payment Terms for Credit Control

  Think about the last time you ordered something online and saw that little note at the checkout, "Pay on Delivery" or "Pay later". It's simple, but it actually sets the tone. As a business owner, you know exactly when payment is expected. Now, imagine

• Dependent (Conditional) Fields in Zoho Bookings Forms

  Hello Zoho Bookings Team, Greetings, We would like to request the ability to create dependent (conditional) fields in Zoho Bookings registration forms. Current Limitation: There is currently no way to make one field’s available options depend on the value

• Bug Report: Search fails to find existing notes after Evernote import

  Hello, I recently migrated from Evernote (~2600 notes across 23 notebooks), but the search functionality is currently broken. The Issue: I can manually browse to a specific note and see it exists. However, when I type the exact or partial title of that

• Marketing Tip #13: Win repeat customers with post-purchase emails

  The relationship with your customer doesn’t end after the sale; that’s when it begins. A thoughtful post-purchase message shows customers you appreciate them, keeps your brand top of mind, and can even lead to another sale. You can thank them, ask for

• Zoho Form

  I have problem with Zoho Form. One of form i don't received the PDF version. Others okay except this one. W904533

• Introducing the Zoho Projects Learning Space

  Every product has its learning curve, and sometimes having a guided path makes the learning experience smoother. With that goal, we introduce a dedicated learning space for Zoho Projects, a platform where you can explore lessons, learn at your own pace,

• Create & Update Zoho Vault Passwords via Zoho Flow

  Hi Zoho Flow / Zoho Vault Team, We’d like to request an enhancement to the Zoho Vault integration in Zoho Flow. Current Limitation: At the moment, Zoho Flow supports only the following selected Zoho Vault actions, such as: Fetch passwords, Share passwords

• I Need Help Verifying Ownership of My Zoho Help Desk on Google Search Console

  I added my Zoho desk portal to Google Search Console, but since i do not have access to the html code of my theme, i could not verify ownership of my portal on Google search console. I want you to help me place the html code given to me from Google search

• Is Zoho Communityspaces now part of Zoho One?

  Is Zoho Communityspaces now part of Zoho One?

• Streams/Shared email doesn't show up in windows trident app. It works fine on MAC. Is there any difference between 2 install ?

  I can see streams/share email boxs on my MAC version of trident app but i can't see them in windows version of trident app. Is there any difference between 2 install? I try to find setting but not able to see any setting to add stream/share email boxes.

• Credit Note for Shipped and Fatoora pushed invoices

  We have shipped a Sales Order and created an Invoice. The Invoice is also pushed to Fatoora Now we need to create a credit note for the invoice When we try it, it says we need to create a Sales Return in the Zoho Books, we have already created a Sales

• Cliq iOS can't see shared screen

  Hello, I had this morning a video call with a colleague. She is using Cliq Desktop MacOS and wanted to share her screen with me. I'm on iPad. I noticed, while she shared her screen, I could only see her video, but not the shared screen... Does Cliq iOS is able to display shared screen, or is it somewhere else to be found ? Regards

• MCP no longer works with Claude

  Anyone else notice Zoho MCP no longer works with Claude? I'm unable to turn this on in the claude chat. When I try to toggle it on, it just does nothing at all. I've tried in incognito, new browsers, etc. - nothing seems to work.

• Next Page