Web Server Applications

Web Server applications can implement OAuth 2.0 Authorization by hitting Zoho's OAuth endpoints to access Zoho's APIs.

Terminology

Protected Resource: All the data present in Zoho Services is defined as a protected resource.

Authorization Code: A short-lived authorization token generated by Zoho accounts and sent to the third-party application via the user-agent (usually a web browser). An authorization code can be exchanged for an access token at Zoho Accounts.

RoleDefinition
Resource OwnersAll Zoho endusers who are capable of granting access to protected resources are resource owners.
Resource ServersZoho Services that host protected resources on their servers. They have APIs designed to respond to protected resource requests via access tokens.
ClientsThird-party applications making protected resource requests on behalf of the resource owner with the user's authorization.
Authorization ServerZoho Accounts is the authorization server that issues access tokens and refresh tokens to the clients after authenticating and authorizing resource owners.

Scope:  A scope determines which protected resource of an end-user a client has requested access to. A scope contains three parameters:  service name,  scope name, and  operation type.

  • Service name: All Zoho products have a service name, such as ZohoCRM or ZohoRecruit
  • Scope name: Each product has user data divided into groups defined by scope names.
  • Operation type: This can be ALL, READ, CREATE, DELETE, or UPDATE.

Syntax: Service_name.scope_name.OPERATION
Example: ZohoCRM.modules.READ

You can request an access token with multiple scopes.

Syntax: Service_name.scope_name.OPERATION,Service_name.scope_name.OPERATION
Example: ZohoCRM.modules.READ,ZohoCRM.settings.READ

Access Token: An end-user authorized key that lets the client access protected resources from the resource server. The client can make API calls using this access token for up to an hour after the creation of the access token.

Refresh Token: Used to obtain a new access token after the old one expires. A refresh token does not expire. The maximum number of allowed refresh tokens per account is 20. The 21st refresh token will replace the first created refresh token.