Protected Resource: All the data present in Zoho Services is defined as a protected resource.
Access Token: An end-user authorized key that lets the client access protected resources from the resource server. The client can make API calls using this access token for up to an hour after the creation of the access token.
Refresh Token: Used to obtain a new access token after the old one expires. A refresh token does not expire. The maximum number of allowed refresh tokens per account is 20. The 21st refresh token will replace the first created refresh token.
Authorization Code: A short-lived authorization token generated by Zoho accounts and sent to the third-party application via the user-agent (usually a web browser). An authorization code can be exchanged for an access token at Zoho Accounts.
|All Zoho end-users who are capable of granting access to protected resources are resource owners.
|Zoho Services that hosts protected resources on their servers. They have APIs designed to respond to protected resource requests via access tokens.
|Third-party applications making protected resource requests on behalf of the resource owner with the user's authorization.
|Zoho Accounts is the authorization server that issues access tokens and refresh tokens to the clients after authenticating and authorizing resource owners.
Scope determines which protected resource of an end-user a client has requested access to. A scope has three parameters: service name, scope name, and operation type.
- Service name: All Zoho products have a service name, such as ZohoCRM or ZohoRecruit
- Scope name: Each product has user data divided into groups defined by scope names.
- Operation type: This can be ALL, READ, CREATE, DELETE, or UPDATE.
You can request an access token with multiple scopes.