Migration for Redirection-based Applications


To generate access and refresh tokens from the existing auth token.

Use this API when your application has multiple users and it obtains their username and password to generate an auth token, or if the users input their auth tokens.


The application owner must share the client ID, auth token scopes, and the required OAuth scopes over an email to support@zohocrm.com.

Zoho CRM validates the details, and configures them in Zoho Accounts. After successful validation, Zoho CRM informs the application owner about client upgrade over an email.

How it Works?

  1. After successful validation from the service team, the external application accesses the "Migration for Redirection-based Applications" API with client ID, client secret, and auth token.

  2. Zoho Accounts checks whether the parameters passed in the request are already verified.

  3. After successful validation, Accounts provides OAuth access and refresh tokens to the application.

Request URL


Request method


  • client_idstring

    Specify the client ID you obtained while registering your application.

  • client_secretstring

    Specify the client secret generated from the connected application.

  • grant_typestring

    The grant type must be authtooauth.

  • authtokenstring

    Specify your auth token.

  • soidstring

    Specify the ZGID of your organization in the following format: ZohoCRM.<zgid>
    You can retrieve ZGID using Get Organization API.

Possible Errors
  • invalid_grant

    Reason: The grant_type is not specified as authtooauth.

  • access_denied

    Reason: The auth token you specified is already used to generate an OAuth token
    You call the migration API after the allowed time of migration(expired)
    the system has blocked the client.

  • invalid_client

    Reason: The client ID you specified is wrong
    the auth to oauth mapping entry for the valid client is not made in accounts.

  • invalid_authtoken

    Reason: The auth token you specified is wrong
    the auth token scope mismatches with the pre-shared auth scopes

  • invalid_scope

    Reason: The OAuth scope you specified is invalid

  • invalid_request

    Reason: You have not specified the soid parameter

  • The maximum number of migration requests you can make per minute is 60 and per hour is 100.

  • After the generation of an OAuthtoken, the system deletes the old auth token after 1 day.

  • The maximum number of times a client can pass an invalid auth token is 20. If you exceed this limit, the system blocks the client and throws the error message "access_denied".

Sample Response

"access_token": "1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf",
"refresh_token": "1000.b8xxxxxxxxxxxxxxxx58f.538b3xxxxxxxxxxxxxxxxx114",
"expires_in": 3600,
"token_type": "Bearer"