Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Sticky Posts

    • Kaizen #198: Using Client Script for Custom Validation in Blueprint

      Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

    • Kaizen #226: Using ZRC in Client Script

      Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

    • Kaizen #222 - Client Script Support for Notes Related List

      Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

    • Kaizen #217 - Actions APIs : Tasks

      Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

    • Kaizen #216 - Actions APIs : Email Notifications

      Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

    • Recent Topics

    • Tables for Europe Datacenter customers?

      It's been over a year now for the launch of Zoho Tables - and still not available für EU DC customers. When will it be available?

    • Does Zoho has chatroom/chatbot url feature?

      Hi Zoho community! I’m looking for a quick "Yes/No" answer for my dev team regarding Zoho’s capabilities. We currently use Zoho Desk for our Service Team and Zoho CRM for our Marketing Team to bring both functions under one platform. Our question: Does

    • One Support Email Managed By Multiple Departments

      Hello, We use one support email (support@company.com). Incoming emails come to the "Support Department" and based on what the customer is asking, we route that ticket to different departments (billing, technical support, etc.). When users in these different

    • What's New in Zoho Analytics - February 2026

      Hello Users! We're back with another round of updates for Zoho Analytics. This month's release focuses on giving you greater flexibility in how you visualize, manage, and act on your data - with new features like custom visualizations, remote MCP server,

    • Is it Possible to Modify Standard Report Urls

      Is there a way to permanently modify standard report Urls? Use case: Suppose I have a Products report. Showing list as timeline, calendar, or kanban doesn't make sense. Want to hide that from users by adding #Report:Products?zc_ShowAs=false&zc_Print=false

    • Updated font library: New font styles and custom font options in Zoho Sheet

      Zoho Sheet's font library now supports 500+ font styles in 60+ languages! The updated font library is stacked with new font styles, and some of the previously available font styles have been replaced with equivalent options. There are two ways you can

    • scope for phonebridge in CRM and phonebridge API documentation

      Hi I cannot find the scope to be used for phonebridge in CRM API V2 calls. I am getting OAUTH_SCOPE_MISMATCH for scope group ZohoCRM.modules.ALL,ZohoCRM.setttings.ALL Also I am not able to locate the documentation for the same, All I have is phonebridge

    • This domain is not allowed to add. Please contact support-as@zohocorp.com for further details

      I am trying to setup the free version of Zoho Mail. When I tried to add my domain, theselfreunion.com I got the error message that is the subject of this Topic. I've read your other community forum topics, and this is NOT a free domain. So what is the

    • Does Zoho Mail Have Popout windows?

      I recently switched my work email over to Zoho and everything I read said that you can popout the draft email as you're writing, however, all the pictures or info I've seen show the typical popout arrow in the top right, which I can not for the life of

    • This domain is not allowed to add in Zoho. Please contact support-as@zohocorp.com for further details

    • Job Alerts for Candidates

      hi All, I have 2 questions relating to sharing job details with candidates. 1. is there a way to notify candidates that meet certain criteria of current jobs available? eg. I run a candidate search, and identify 50 candidates that might be suitable. Can

    • Zoho Wiki or new Zoho Learn

      We are currently evaluating if we should move off confluence. At present in Confluence we have multiple levels within our documentation but with learn it looks like you can only have Space       - Manual             - Chapter Is it possible to have levels below Chapter? Also the same question for the existing wiki, can I have more sub-levels?

    • Fix image at bottom of a page fot automatic proposal creation

      I'm working on a proposal document to automate our proposal creation process. So far it works fine, but I experience some problems with an image I want to have fixed at the bottom of the page AND above the footer. This section of the document consists

    • Can't scroll the page down unless I refresh the page

      Hello, This issue has been going on with me and a lot of other users in my organization, we can't scroll down! the scrolling side bar doesn't appear and scrolling down through mouse or keyboard keys doesn't work, it seems that the page just ends in the

    • Price List

      II want to restrict the items to display in sales, quote, etc for which custom rates are added in price list. How I can do the same in Zoho books

    • Let’s Talk Recruit: Still switching tabs to source?

      Welcome back to the Let’s Talk Recruit series. Let’s talk about how you actually source talent. Do you open multiple job boards every single time a role opens? Run the same keyword searches you ran yesterday? Download, upload, rename, and then do it again

    • Kaizen #231 - Embedding Zoho Desk Tickets in Zoho CRM

      Hello, CRM Wizards! This week, let us enhance cross-team visibility between Zoho CRM and Zoho Desk. We will use the Zoho Request Client inside a Related List widget to display open Zoho Desk tickets directly within the Contact record in Zoho CRM. This

    • Introducing a smarter, faster, and more flexible charting experience

      Hello Zoho Sheet users, We're delighted to share the latest news about a major update to charts in Zoho Sheet! The new version supports dynamic data ranges, granular styling options, faster loading, and other interesting enhancements that allow you to

    • Introducing Job Alerts

      Keeping candidates engaged beyond their first application is one of the most consistent hiring challenges. Many interested candidates simply do not revisit career sites regularly, which can result in missed opportunities and reduced re-applications. To

    • Where is the settings option in zoho writer?

      hi, my zoho writer on windows has menu fonts too large. where do i find the settings to change this option? my screen resolution is correct and other apps/softwares in windows have no issues. regards

    • Enhance Sign CRM integration

      Hello all, I'm working on a custom Deluge script to enhance the integration between Zoho CRM and Sign by using a writer merge template for additional flexibility. I want to replicate the post-sign document integration that exists between CRM and Sign

    • Task status - completed - other options

      I have a dumb question I know i can make custom statuses for the tasks - but is there anyway to make additional "completed" statuses like for instance if i have a task "call back customer" and i leave a vm for them to call back marking it "completed -

    • Bank feed integration First Abu Dhabi Bank (FAB) to Zoho? (UAE)

      Hello everyone, Is First Abu Dhabi Bank in the list of banks available for bank feed integration with Zoho Books? Thank you.

    • How to Export Filtered List of Contacts?

      This seems like it should be simple, but I'm stymied. I'm trying to export a filtered list of my Contacts for analysis in a spreadsheet. The use case is that I'm an ecom business based in the US. The bulk of our customers are individuals stored as Contacts.

    • Quick Create needs Client Script support

      As per the title. We need client scripts to apply at a Quick Create level. We enforce logic on the form to ensure data quality, automate field values, etc. However, all this is lost when a user attempts a "Quick Create". It is disappointing because, from

    • can we add product images in Zoho CRM Quote PDF template?

      I want to create a quotation format in Zoho CRM similar to the attached PDF, where each product is displayed in a table with rpoduct image I need the product image to appear inside the line items section of the quote. However, while checking the Quote

    • Does Zoho Writer have Dropdowns

      I want to add a drop down field in Zoho writer. Is this possible?

    • Facturation électronique 2026 - obligation dès le 1er septembre 2026

      Bonjour, Je me permets de réagir à divers posts publiés ici et là concernant le projet de E-Invoicing, dans le cadre de la facturation électronique prévue très prochainement. Dans le cadre du passage à la facturation électronique pour les entreprises,

    • Connecting Multiple WooCommerce Stores to a Single Zoho Marketing Automation Account

      Is it possible to connect multiple WooCommerce stores to a single Zoho Marketing Automation account?

    • Service Title in Service Report Template Builder

      I am currently working on the Service Report Template Builder in Zoho FSM. I have created three separate service report templates for different workflows: Preventive Maintenance Report Requested Service Report Installation Report My issue is that I cannot

    • Update: New Security Admin Role

      Hello Zoho Directory Admins! This post is to highlight the recent role and permission changes introduced as part of the security enhancements. Previously, Helpdesk Admins had the security permissions and were responsible for managing the security configurations

    • Client Script | Update #14 - Client Script Support for Quick Create

      Hello Everyone! We are back with another exciting and highly awaited update in Client Script! Over the past months, many of you shared your insights and requests, asking for the power to extend Client Script functionality to Quick Create forms. This capability

    • I'd like to suggest a feature enhancement for SalesIQ that would greatly improve the user experience across different channels.

      Hello Zoho Team, Current Limitation: When I enable the pre-chat form under Brands > Flow Controls to collect the visitor’s name and email, it gets applied globally across all channels, including WhatsApp, Messenger, and Instagram. This doesn't quite align

    • The Social Playbook - February edition: Why moment marketing works (and how brands use it)

      Imagine the final season of your favorite series is about to drop. Your entire feed is talking about it. Trailers everywhere. Fan theories. Hype at 100%. Now your go-to burger place launches a limited-edition meal box themed around that series—custom

    • PDF Attachment Option for Service Reports

      Hello Team, I would like to check with you all if there is an option to attach PDF documents to the service reports. When I try to attach a file, the system only allows the following formats: JPEG, JPG, and PNG. Could you please confirm whether PDF attachments

    • Cliq Bots - Post message to a bot using the command line!

      If you had read our post on how to post a message to a channel in a simple one-line command, then this sure is a piece of cake for you guys! For those of you, who are reading this for the first time, don't worry! Just read on. This post is all about how

    • Depositing funds to account

      Hello, I have been using Quickbooks for many years but am considering moving to Zoho Books so I am currently running through various workflows and am working on the Invoicing aspect. In QB, the process is to create an invoice, receive payment and then

    • 【Zoho CRM】営業日のロジックに関するアップデート

      ユーザーの皆さま、こんにちは。コミュニティチームの中野です。 今回は「Zoho CRM アップデート情報」の中から、営業日のロジックに関するアップデートをご紹介します。 本アップデートにより、ワークフローにおける営業日の計算方法が改善されました。 週末などの非営業日にワークフローのトリガーが発生した場合でも、 「+0」「+1」「+2 営業日」といった設定が、意図どおりに正確に動作するようになりました。 営業日に基づくワークフローでは、日付項目を基準に「何営業日後に処理を実行するか」を指定します。

    • Merged cells are unmerging automatically

      Hello, I have been using Zoho sheets from last 1 year. But from last week facing a issue in merged cells. While editing all merged cells in a sheet became unmerged. I merged it again, but it again unmerged. In my half an hour work I have to do this 3-4

    • Introducing Built-in Telephony in Zoho Recruit

      We’re excited to introduce Built-in Telephony in Zoho Recruit, designed to make recruiter–candidate communication faster, simpler, and fully traceable. These capabilities help you reduce app switching, handle inbound calls efficiently, and keep every

    • Next Page