Generating Token

Refresh Token
Refresh token is used to obtain new access tokens. This token has an unlimited lifetime, it can be revoked manually.

Access Token
A token that is sent to the resource server to access the protected resources of the user. Each access token will be valid only for an hour, and can be used only for the set of operations that is described in the scope.

After generating the code, a POST request has to be made for the following URI, with the params given below, to generate refresh_token and access_token.

https://<ZohoAccounts_Server_URI>/oauth/v2/token

Post

The below URL is used to generate access token and refresh token. 
https://accounts.zoho.com/oauth/v2/token?code=<CODE>&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&redirect_uri=<REDIRECT_URI>&grant_type=authorization_code

 

Parameter Name
Description
code*<code> which is obtained in the above step (Step 2)
client_id*<client_id> obtained during Client Registration (Step 1)
client_secret*<client_secret> obtained during Client Registration (Step 1)
redirect_uriThis param should be same redirect url mentioned while adding Client (Step 1).
This param is not required when self client application type is choosen during Client Registration (Step 1).
grant_type*authorization_code (provide this literal string as value)
scopeScope

 (scope is nothing but a permission to access specific API) for which the token to be generated. Multiple scopes can be given, separated by commas.
Example: ZohoAnalytics.data.all,ZohoAnalytics.modeling.create
Refer: available scopes

stateAn opaque string that is round-tripped in the protocol; that is to say, value will be passed back to the user.

Note: Fields with * are mandatory

  1. In response, you will get both <access_token> and <refresh_token>.
     

    {
    "refresh_token": "{refresh_token}",
    "api_domain": "https://www.zohoapis.com",
    "token_type": "Bearer",
    "expires_in": 3600
    }

  2. The <access_token> will expire after an hour.
  3. The <refresh_token> is permanent and will be used to regenerate new <access_token>, if the current access token expired.
NOTE: Each time a re-consent page is accepted, a new refresh token is generated. The maximum limit is 20 refresh tokens per user. If this limit is crossed, the first refresh token is automatically deleted to accommodate the latest one. This is done irrespective of whether the first refresh token is in use or not. (You can manually delete a refresh token by revoke request.)