Client-based Applications
If your application requires API access only when the user is using your application, then you must use this OAuth flow. This flow is also known as the Implicit Flow.
Terminology
Protected Resource: All the data present in Zoho Services is defined as a protected resource.
Access Token: An end-user authorized key that lets the client access protected resources from the resource server. The client can make API calls using this access token for up to an hour after the creation of the access token.
| Role | Definition |
|---|---|
| Resource Owners | All Zoho endusers who are capable of granting access to protected resources are resource owners. |
| Resource Servers | Zoho Services that host protected resources on their servers. They have APIs designed to respond to protected resource requests via access tokens. |
| Clients | Third-party applications making protected resource requests on behalf of the resource owner with the user's authorization. |
| Authorization Server | Zoho Accounts is the authorization server that issues access tokens and refresh tokens to the clients after authenticating and authorizing resource owners. |
Scope: A scope determines which protected resource of an end-user a client has requested access to. A scope contains three parameters: service name, scope name, and operation type.
- Service name: All Zoho products have a service name, such as ZohoCRM or ZohoRecruit
- Scope name: Each product has user data divided into groups defined by scope names.
- Operation type: This can be ALL, READ, CREATE, DELETE, or UPDATE.
Syntax: Service_name.scope_name.OPERATION
Example: ZohoCRM.modules.READ
You can request an access token with multiple scopes.
Syntax: Service_name.scope_name.OPERATION,Service_name.scope_name.OPERATION
Example: ZohoCRM.modules.READ,ZohoCRM.settings.READ
Note: We do not recommend using this method, as the access token is sent to your redirect URI using the HTTP GET method, which poses security concerns. Since the access token is passed via the URI, there is a chance the access token is intercepted by a hacker and misused.