Skip to main content
Zoho commerce
Zoho commerce

Step 4: Grant Access Token from Refresh Token

Access tokens expire in an hour. Client applications must make the following request and use their user's refresh token to generate another access token:

Request URL

https://<base_accounts_url>/oauth/v2/token?refresh_token=<refresh_token>&client_id=<client_id>&client_secret=<client_secret>&grant_type=refresh_token

Note: For Storefront Portal API's use https://accounts.zohoportal.com/clientoauth/v2/<PORTAL_ID>/token

Request Method

POST

where,

ParameterDescription
refresh_tokenRefresh Token which is obtained from the above step
client_idClient ID is obtained during Client Registration.
client_secretClient secret is obtained during Client Registration.
redirect_urlThis parameter should be the same redirect URL mentioned while registering the Client.
base_accounts_urlThe base account URL of your Zoho Account. 

Understanding the response

The success or failure of the API will be conveyed in its response. The response of the generate token API will include:

access_token

The access token that the requesting user will need to access the resources that correspond to the scopes that were included while making the authorization request.

expires_in

The time (in seconds) after which the access token will expire.

api_domain

The domain where the API calls are to be made for the requesting user. Though the value will contain the zohoapis domain, the client application must use your Creator account's base URL in its API requests. For example, if your account belongs to Zoho's US DC, the client must make the API requests at commerce.zoho.com

token_type

This indicates the generated token's type. The value Bearer indicates that it's an access token.

Note:

  • A maximum of 5 refresh tokens can be generated per minute.
  • A user in an organization can have a maximum of 20 refresh tokens, and each refresh token can have a maximum of 30 active access tokens at any time.
  • When the request is made to generate the 31st access token, the authorization server will delete that user’s first access token. Similarly, when the request is made to create the 21st fresh token, the authorization server will delete that user’s first refresh token.

Possible Errors

invalid_client

Ensure that you have passed the right client ID and client secret.
Ensure that you have used the same Zoho account base URL that you used while making the authorization request.

invalid_code

The authorization code that you generated may either have expired or already been exchanged for an access token.
The refresh token that was used to generate the access token may either have expired or been revoked.

Sample Request

Copiedcurl "https://accounts.zoho.com/oauth/v2/token?refresh_token=1000.3ph66exxxxxxx6ce34.3c4xxxxxxxxxf&client_id=1000.xxxxxxxxxxHF2C6H&client_secret=xxxxxxxxx4f4f7a&grant_type=refresh_token"
- POST

Sample Response

Copied{
    "access_token": "1000.6jh82dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf",
    "expires_in": 3600,
    "api_domain": "https://www.zohoapis.com",
    "token_type": "Bearer"
}
Though the api_domain key in the response contains the zohoapis domain, the client application must use your Commerce account's base URL in its API requests. For example, if your account belongs to Zoho's US DC, the client must make the API requests at commerce.zoho.com

© 2025, Zoho Corporation Pvt. Ltd. All Rights Reserved.