Migration for Self-Client Applications


To generate access and refresh tokens from the existing auth token.

Use this option when your application is a standalone server-side application performing a back-end job, and you do not have a domain and a redirect URL.

How it Works?

  1. The external application accesses the "Migration for Self-Client Applications" API with client ID, client secret, auth token, and the required oauth scopes.

  2. Zoho Accounts checks whether the service names of the auth token and oauth scopes match.

  3. After scope validation, Accounts checks whether the application owner is the same as the Auth token owner.

  4. If the validation is successful, Accounts generates an OAuth token for the external application.
    Otherwise, the system throws the error "access_denied".

  5. Accounts sends an email to the user about client upgrade.

Request URL


Request method


  • client_idstring

    Specify the client ID you obtained while registering your application.

  • client_secretstring

    Specify the client secret generated from the connected application.

  • grant_typestring

    The grant type must be authtooauth.

  • authtokenstring

    Specify your auth token.

  • scopestring

    Specify the OAuth scopes to access data from Zoho CRM. For more details about Zoho CRM scopes, refer What's New section of the Zoho CRM REST API Documentation.

  • soidstring

    Specify the ZGID of your organization in the following format: ZohoCRM.<zgid>
    You can retrieve ZGID using Get Organization API.

Possible Errors
  • invalid_grant

    Reason: The grant_type is not specified as authtooauth.

  • access_denied

    Reason: The auth token you specified is already used to generate an OAuth token.

  • invalid_client

    Reason: The client ID you specified is wrong.

  • invalid_authtoken

    Reason: The auth token you specified is wrong

  • invalid_scope

    Reason: The OAuth scope you specified is invalid

  • invalid_request

    Reason: You have not specified the soid parameter

  • The maximum number of migration requests you can make per minute is 25 and per hour is 60.

  • After the generation of an OAuthtoken, the system deletes the old auth token after 1 day.

Sample Response

"access_token": "1000.03xxxxxxxxxxxxxxxxxa5317.dxxxxxxxxxxxxxxxxxfa",
"refresh_token": "1000.95xxxxxxxxxxxxxxxb0de.10bxxxxxxxxxxxxxxxxxx31b",
"expires_in": 3600,
"token_type": "Bearer"