Kaizen #168 - Incremental Authorization

Kaizen #168 - Incremental Authorization


Welcome to this week's post in the Kaizen series. In this post, we will discuss Incremental Authorization. 

What is Incremental Authorization?

Incremental Authorization is an OAuth strategy that allows a client to request specific authorization scopes as and when needed. This means that the client does not have to request every possible scope that might be needed upfront, which might result in a bad user experience. Incremental Authorization is considered a best practice in Oauth Authorization Request as:
  • Users are not overloaded with scopes in the initial stage
  • Users can control the amount of data they share

Who can use Incremental Authorization?

Server-based applications can make use of incremental authorization 

Incremental Authorization Flow

Incremental Authorization Flow

When a user first signs into the application, the application requests only the essential permissions needed. The user may trigger features that require additional permissions as they engage with the application. When the application identifies this, it follows the below steps:

Initiation Request (Step 1: Get Scope Enhancement Token )

The application makes a POST request to the endpoint /oauth/v2/token/scopeenhance, including the existing refresh token as a parameter. This request is aimed at obtaining a scope enhancement token, which is necessary for requesting additional permissions.

Scope Enhancement Request (Step 2)

After receiving the scope enhancement token, the app then makes a request to the endpoint /oauth/v2/token/addextrascope. In this request, it specifies which additional scopes are needed.

User Consent

The user is presented with a consent screen that details the new permissions being requested. This screen will only show the new permissions required and not those already granted.
If the user approves these new permissions, the refresh token (used in Step 1) and its associated access tokens will be updated to include the newly granted scopes.

Success Response

Upon successful approval by the user, a success response is returned, confirming that the additional scopes have been appended to the existing refresh token.

When is Incremental Authorization Useful?

Let us take a look at two scenarios where incremental authorization is particularly useful.

Scenario 1 

Zylker Marketing, a marketing agency, utilizes a custom in-house marketing tool that integrates with Zoho CRM.  Initially, the tool has permission to read Leads in Zoho CRM. However, as the marketing team expands their operations, they realize that they require to create new Contacts based on sign-ups and retrieve existing deals data for analysis. The tool is then revamped to create Contacts and view Deals data. 
When a marketer who uses the tool tries to create a Contact for the first time, the incremental authorization method is called in the backend. The marketer is redirected to the Zoho login page. Once logged in, the marketer is prompted to give access to the new resources. This enhances the refresh token, and the tool can continue using the same refresh token. 

Scenario 2

Consider that you want to use a new Zoho CRM API that just got released as part of the version release. Your refresh token does not have the required scope to access the new API.  You can make use of incremental authorization to append the required scope to the same refresh token in these cases.

How can you use Incremental Authorization?

Step 1: Initiation Request 

First, you need to send a request to get the scope enhancement token along with the refresh token for which the extra access is required.

Request format

POST 
{accounts-url}/oauth/v2/token/scopeenhance
?grant_type=update_scopes_token
&client_id={client_id}
&client_secret={client_secret}
&refresh_token={refresh_token}


The accounts-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs.
Request Parameters 
You should send the initiation request with the below parameters. All parameters are mandatory
  • grant_type: Specify the value as "update_scopes_token".
  • client_id: Specify the client-id obtained from the API console.
  • client_secret: Specify client-secret obtained from the API console.
  • refresh_token: Specify the refresh token to which the additional scopes should be appended.
You will receive a response in the below format
{
"access_token": "{scope_enhancement_token}",
"token_type": "update_scope",
"expires_in": 600
}

The scope_enhancement_token received in this response should be passed as a parameter in the next step - scope enhancement request.

Step 2: Scope enhancement request

This request appends the refresh token with additional scopes.
Request format
GET
{accounts-url}/oauth/v2/token/addextrascope
?response_type=update_scopes
&client_id={client_id}
&redirect_uri={redirect_uri}
&scope={required_scopes}
&enhance_token={scope_enhancement_token}
&logout=true

Parameters
  • response_type: Specify the value as "update_scopes".
  • client_id: Specify the client-id obtained from the API console.
  • redirect_uri : Specify the URI to which the authorization server will redirect the browser back with success or failure response. It has to be the same URI which is provided when registering the app in the API console.
  • scope: Specify the scopes of the additional resources for which access is required.
  • enhance_token: Scope enhancement token received in the response of the previous initiation request. 
  • logout: Specify as true if the user's session should be terminated after the permission is granted or rejected.
When this request is called, the application redirects the user to the Zoho Login page, and the user enters the Zoho credentials. Then, the permissions required are displayed once the user is authenticated.
The refresh token will be appended with the additional scopes, and a success response will be returned when the user grants permission. The user will be redirected to the redirect_uri with params status as success and scope_enhanced as true. The user can continue using the same refresh token can be used. If the user rejects the authentication, the system returns a failure response.  The user will be redirected to the redirect_uri with params error as access_denied.

You will receive a response in the below formats:

Success Response
{redirect_uri}?status=success&scope_enhanced=true

Failure Response
{redirect_uri}?error=access_denied

We hope you found this post useful. We will meet you next week with another interesting topic!
If you have any questions, let us know in the comment section.
Cheers!


    • Sticky Posts

    • Kaizen #198: Using Client Script for Custom Validation in Blueprint

      Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

    • Kaizen #226: Using ZRC in Client Script

      Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

    • Kaizen #222 - Client Script Support for Notes Related List

      Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

    • Kaizen #217 - Actions APIs : Tasks

      Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

    • Kaizen #216 - Actions APIs : Email Notifications

      Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

    • Recent Topics

    • Service Title in Service Report Template Builder

      I am currently working on the Service Report Template Builder in Zoho FSM. I have created three separate service report templates for different workflows: Preventive Maintenance Report Requested Service Report Installation Report My issue is that I cannot

    • Update: New Security Admin Role

      Hello Zoho Directory Admins! This post is to highlight the recent role and permission changes introduced as part of the security enhancements. Previously, Helpdesk Admins had the security permissions and were responsible for managing the security configurations

    • Client Script | Update #14 - Client Script Support for Quick Create

      Hello Everyone! We are back with another exciting and highly awaited update in Client Script! Over the past months, many of you shared your insights and requests, asking for the power to extend Client Script functionality to Quick Create forms. This capability

    • I'd like to suggest a feature enhancement for SalesIQ that would greatly improve the user experience across different channels.

      Hello Zoho Team, Current Limitation: When I enable the pre-chat form under Brands > Flow Controls to collect the visitor’s name and email, it gets applied globally across all channels, including WhatsApp, Messenger, and Instagram. This doesn't quite align

    • The Social Playbook - February edition: Why moment marketing works (and how brands use it)

      Imagine the final season of your favorite series is about to drop. Your entire feed is talking about it. Trailers everywhere. Fan theories. Hype at 100%. Now your go-to burger place launches a limited-edition meal box themed around that series—custom

    • PDF Attachment Option for Service Reports

      Hello Team, I would like to check with you all if there is an option to attach PDF documents to the service reports. When I try to attach a file, the system only allows the following formats: JPEG, JPG, and PNG. Could you please confirm whether PDF attachments

    • Cliq Bots - Post message to a bot using the command line!

      If you had read our post on how to post a message to a channel in a simple one-line command, then this sure is a piece of cake for you guys! For those of you, who are reading this for the first time, don't worry! Just read on. This post is all about how

    • Depositing funds to account

      Hello, I have been using Quickbooks for many years but am considering moving to Zoho Books so I am currently running through various workflows and am working on the Invoicing aspect. In QB, the process is to create an invoice, receive payment and then

    • 【Zoho CRM】営業日のロジックに関するアップデート

      ユーザーの皆さま、こんにちは。コミュニティチームの中野です。 今回は「Zoho CRM アップデート情報」の中から、営業日のロジックに関するアップデートをご紹介します。 本アップデートにより、ワークフローにおける営業日の計算方法が改善されました。 週末などの非営業日にワークフローのトリガーが発生した場合でも、 「+0」「+1」「+2 営業日」といった設定が、意図どおりに正確に動作するようになりました。 営業日に基づくワークフローでは、日付項目を基準に「何営業日後に処理を実行するか」を指定します。

    • Merged cells are unmerging automatically

      Hello, I have been using Zoho sheets from last 1 year. But from last week facing a issue in merged cells. While editing all merged cells in a sheet became unmerged. I merged it again, but it again unmerged. In my half an hour work I have to do this 3-4

    • Introducing Built-in Telephony in Zoho Recruit

      We’re excited to introduce Built-in Telephony in Zoho Recruit, designed to make recruiter–candidate communication faster, simpler, and fully traceable. These capabilities help you reduce app switching, handle inbound calls efficiently, and keep every

    • Just want email and office for personal use

      I am unclear as how to how I would have just a personal email (already do have it and love it) and get to use docs, notebook, workdrive etc. In other words mostly everything I had a google. I find gocs can be free with 5gb and so can mail with 5gb. Are

    • Unable to change the "credentials of login user" option when creating a connection

      I want to create a new Desk connection where the parameter to use 'credentials of login user' is set to YES. I'm able to create a new connection but am never given the option to change this parameter. Is this a restriction of my user profile, and if so,

    • Show backordered items on packing slip

      Is it possible to show a column on the Packing Slip that shows number of backordered items when a PO is only partially filled? I would also like to see the Backordered column appear on POs after you receive items if you didn't get ALL of the items or partial amounts of items. And lastly, it would be nice to have the option of turning on the Backordered column for invoices if you only invoice for a partial order. -Tom

    • Zoho Sheet for Desktop

      Does Zoho plans to develop a Desktop version of Sheet that installs on the computer like was done with Writer?

    • Zoho CRM Community Digest - January 2026 | Part 1

      The new year is already in motion, and the Zoho CRM Community has been buzzing with steady updates and thoughtful conversations. In this edition, we’ve pulled together the key product enhancements, Kaizen learnings, and helpful discussions from the first

    • Zoho CRM Feature Requests - SMS and Emails to Custom Modules & Time Zone Form Field

      TLDR: Add Date/Time/Timezone form field, and be able to turn off auto timezone feature. Allow for Zoho Voices CRM SMS Extension to be able to be added to custom modules, and cases. Create a feature that tracks emails by tracking the email chain, rather

    • Introducing Bigin's Add-in for Microsoft Outlook

      Hello Everyone, Email is an important way to communicate with customers and prospects. If you use Outlook.com for emails and Bigin as your CRM, the Outlook Add-in helps you connect them easily so you can see your Bigin contact details right inside Outlook.com.

    • Ask the Expert – Zoho One Admin Track : une session dédiée aux administrateurs Zoho One

      Vous administrez Zoho One et vous vous posez des questions sur la configuration, la gestion des utilisateurs, la sécurité ou encore l’optimisation de votre back-office ? Bonne nouvelle : une session Ask the Expert – Zoho One Admin Track arrive bientôt,

    • Zoho Commerce

      Hi, I have zoho one and use Zoho Books. I am very interested in Zoho Commerce , especially with how all is integrated but have a question. I do not want my store to show prices for customers that are not log in. Is there a way to hide the prices if not

    • How to Associate Zoho Projects in Zoho CRM

      Hi I need script for associating projects in zoho projects to particular Account in zoho CRM side. It can be done manually but I need the automation for this process. There are no api regarding associating a project in zoho crm account. Need assistance

    • Add Claude in Zoho Cliq

      Let’s add a real AI assistant powered by Claude to your workspace this week, that your team can chat with, ask questions, and act on conversations to run AI actions on. This guide walks you through exactly how to do it, step by step, with all the code

    • Need to set workflow or journey wait time (time delay) in minutes, not hours

      Minimum wait time for both Campaigns workflows and Marketing Automation journeys is one hour. I need one or the other to be set to several minutes (fraction of the hour). I tried to solve this by entering a fraction but the wait time data type is an integer

    • Editing Item Group to add Image

      I did not have the image of the product when the Item Group was created. Now I have the product image, and would like to associate/add to the Item Group. However the Item Group Edit functionality does not show/allow adding/changing image. Please hel

    • Urgent: Slow Loading Issue on Zoho Commerce Website

      Dear Zoho Support Team, I am experiencing slow loading times on my Zoho Commerce website, which is affecting its performance and user experience. The issue persists across different devices and networks. Could you please investigate this matter and provide

    • Zoho Books - France

      L’équipe de Zoho France reçoit régulièrement des questions sur la conformité de ses applications de finances (Zoho Books/ Zoho Invoice) pour le marché français. Voici quelques points pour clarifier la question : Zoho Books est un logiciel de comptabilité

    • New in Office Integrator: Download documents as password-protected PDFs

      Hi users, We're excited to introduce password-protected PDF as a download option in Zoho Office Integrator's document editor. This allows you to securely share confidential information from within your web app. Highlights of the password-protected PDF

    • Sales IQ - Zobot en multilangue

      Bonjour, J'ai un Zobot installé sur mon site depuis longtemps. J'ai ajouté plusieurs langues, dans la configuration et dans le générateur de bot sans code Pourtant, le Chat continue à s'afficher en Francais. Comment enclencher le multilangue en front

    • Streamlining E-commerce Photography with AI Background Tools

      Hey Zoho Community, I’ve been messing around with ways to make product images less of a headache for fashion brands on Zoho Commerce. You know how boring generic backdrops can get, and how much time traditional photoshoots eat up, right? I tried out this

    • Unable to Assign Multiple Categories to a Single Product in Zoho Commerce

      Hello Zoho Commerce Support Team, I am facing an issue while assigning categories to products in Zoho Commerce. I want to assign multiple categories to a single product, but in the Item edit page, the Category field allows selecting only one category

    • Collapsing and expanding of lists and paragraphs

      hello Would you ever implement Collapsing and expanding of lists and paragraphs in zoho writer ? Best regards

    • Saving issue

      First problem I opened a MS word file in writer. after the work is done, it does not save instantly, I waited for like 10min and it still did not save. second problem When I save a file, then file gets saved as another copy. I just did save, not save

    • Serious problem with file that contains non-ASCII characters

      I imported many pdf files from Evernote whose names contain Hebrew characters, such as ח רבעוני - ביטוח חיים - סוף רבעון 3 - לשנת 2025.pdf I have two very serious problems: (1) Zoho Notebook cannot open the pdf file; (2) It cannot download the pdf file.

    • Notifications Feeds unread count?

      How do I reset the unread count on feeds notifications?  I've opened every notification in the list.  And the count never goes to zero.

    • Zoho Finance Limitations 2.0 #3: Can't assign a Contact to a Finance Record (estimate, sales order or invoice)

      If you use a business to business scenario with different contact people within the company you can't assign a finance record (estimate, invoice, etc...) to that person. Why this matters? No way to find out which person placed the order without manual

    • Zoho Community Digest — Febrero 2026

      ¡Hola, comunidad! Un mes más os traemos las novedades más interesantes de Zoho para febrero de 2026, incluyendo actualizaciones de producto publicadas oficialmente, cambios de políticas y noticias del ecosistema. Pero antes de lanzarnos a las actualizaciones,

    • Disable Zoho Contacts

      We don't want to use this app... How can we disable it?

    • Filter button in the Zoho Sheet Android App doesn't toggle on

      I am a new Zoho Sheets user and experiencing a specific issue with the filter functionality in the Android mobile application. Detailed Issue Description: The filter icon appears correctly in the toolbar. Upon tapping the filter icon/button, the toggle

    • 【Zoho CRM】商談タブへのデータインポート

      Zoho使用前にエクセルで管理していた商談情報を、Zoho一括管理のため、商談タブにインポートしたいのですが、お客さまの氏名だけが紐づけられませんでした。 「Zoho CRMにインポートする項目を関連付ける」のところが画像のようになっています。 (弊社では、「姓」を「★個人データ名」という項目名に変更し、フルネームを入れて使用しています。) どのようにしたら氏名をインポートできるかご存じの方がいらっしゃいましたら、ご教示いただきたく、よろしくお願いいたします。 (投稿先が間違っていましたらご指

    • CRM Cadences recognise auto-responses

      I have leads in a Cadence. I get an auto-responder reply "I'm out of the office..." Normally Cadences seems to know that isn't a real reply and keeps the lead enrolled in the cadence. However, today, Cadences has UNENROLLED a Lead who sent an auto-reponse

    • Next Page