Self Client - Authorization code flow
Step 1: Generate an authorization code
- Go to the created self client in the API console.
- In the Generate Code tab:
- Enter the scopes your app needs to access. Use commas to separate multiple scopes. You can refer to the respective product's API documentation for the required scopes.
- Select an expiry time for the authorization code. By default, it is 3 minutes.
- Enter a description for the required scopes.
- Click CREATE.
- If prompted, select the Zoho app and then select the required portal the app needs to access.
- Click CREATE. An authorization code will be generated and displayed.
- Copy or download the authorization code.
Step 2: Get access token and refresh token
Exchange the authorization code for an access token and a refresh token.
Endpoint
Copied
Note: The accounts-server-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs
Query parameters
| Parameter | Description |
| client_id | required A unique ID displayed under Self Client > Client Secret. |
| client_secret | required A unique confidential secret displayed under Self Client > Client Secret. |
| grant_type | required Should be passed with the value authorization_code. |
| code | required The authorization code generated in the previous step. |
Request example
Copied
Response parameters
| Parameter | Description |
| access_token | An authorized key that can be used by your application to access the required resource (mentioned in the scope). Validity: 1 hour. |
| refresh_token | A special token that can be used by your application to refresh the access token once it is expired. This token won't expire. |
| api_domain | The domain the app needs to make service API requests to. |
| token_type | Indicates the type of access token that is generated. The token type that is used in Zoho's OAuth implementation is Bearer. |
| expires_in | Indicates the time (in seconds) in which the access token will expire. |
Response example
Copied
Step 3: Use access token to make API calls
Make request calls to the service you want to access through the api_domain you get from the response of the access token request. Using an access token, you can access the resource for an hour, after which it will expire. To get a new access token, use the refresh token (see Step 4).
Step 4: Refresh the access token when it expires
When an access token expires, get a new access token using the refresh token.
Endpoint
Copied
Note: The accounts-server-url is specific to the location (i.e., datacenter) where the client is registered. See all the server-specific URLs
Query parameters
| Parameter | Description |
| client_id | required A unique ID displayed under Self Client > Client Secret. |
| client_secret | required A unique confidential secret displayed under Self Client > Client Secret. |
| grant_type | required Should be passed with the value refresh_token. |
| refresh_token | required The refresh token you've obtained in step 2. |
Request example
Copied
Response parameters
| Parameter | Description |
| access_token | An authorized key that can be used by your application to access the required resource (mentioned in the scope). Validity: 1 hour. |
| api_domain | The domain the app needs to make service API requests to. |
| token_type | Indicates the type of access token that is generated. The token type that is used in Zoho's OAuth implementation is Bearer. |
| expires_in | Indicates the time (in seconds) in which the access token will expire. |
Response example
Copied