OAuth Overview

What is OAuth?

Oauth 2.0 is an industry standard protocol specification that enables third-party applications (clients) to gain delegated access to protected resources in Zoho via an API.

Advantages of OAuth

  • Clients are not required to support password authentication or store user credentials
  • Clients gain delegated access, i.e., access only to resources authenticated by the user.
  • Users can revoke third-party application's delegated access anytime
  • OAuth access tokens expire after a set time. If the client faces a security breach, user data will be compromised only until the access token is valid.

Why move to OAuth from Authtoken?

  1. OAuth follows a specific standard protocol. Implementation of authorization via authtoken doesn't have a standard protocol. Therefore, clients must find out how authorization via authtoken is implemented in Zoho before using it.
  2. An OAuth access token's access must be viewed and authorized by the user. An authtoken can be generated without the user viewing authtokens access reach.

OAuth Workflow

Zoho REST APIs use OAuth for authorization and for access to protected resources. OAuth can be traditionally executed in four ways, catering to different client types. However, all of the OAuth implementations follow a similar workflow.

  1. Register your application with Zoho to receive your client credentials, which we will use to identify you. Go to Client Registration to learn how to register your application.
  2. Obtain an access token and an optional refresh token from Zoho Accounts via different OAuth constructs:
    • Web Server Applications
    • JavaScript Client Applications
    • Mobile Applications
    • Limited Input Devices
  3. Use the access token to make API calls for data.