Generate Access Token and Refresh Token

OAuth2.0 requests are usually authenticated with an access token, which is passed as bearer token. To use this access token, you need to construct a normal HTTP request and include it in an Authorization header along with the value of Bearer.


You must use your domain-specific Zoho Accounts URL to generate access and refresh tokens. The following are the various domains and their corresponding accounts URLs.

  • For US:
  • For AU:
  • For EU:
  • For IN:

To generate access and refresh token:

  1. Make a POST request with the following URL. Replace {Accounts_URL} with your domain-specific Zoho accounts URL when you make the request.


    Note: For security reasons, pass the below parameters in the body of your request.

    Request Parameters
    grant_typeEnter the value as "authorization_code".
    client_idSpecify client-id obtained from the connected app.
    client_secretSpecify client-secret obtained from the connected app.
    redirect_uriSpecify the Callback URL that you registered during the app registration.
    codeEnter the grant token generated from previous step.
  2. If the request is successful, you will receive the following:

    "access_token": "{access_token}",
    "refresh_token": "{refresh_token}",
    "api_domain": "{api_domain}",
    "token_type": "Bearer",
    "expires_in": 3600

    Response Parameters
    access_tokenAccess token to access Zoho FSM APIs
    refresh_tokenRefresh token to obtain new access tokens
    expires_in_secTime in seconds after which the access token expires

    Domain name of the API. Use this domain in your requests to make API calls to Zoho FSM.

    For US:

    For AU:

    For EU:

    For IN:

    token_typeType of token obtained. "Bearer" indicates this is an access token.
    expires_inTime in milliseconds after which the access token expires

    This completes the authentication. Once your app receives the access token, send the token in your HTTP authorization header to Zoho FSM API with the value "Zoho-oauthtoken {access_token}" for each endpoint (for each request).


  • Each access token is valid for only an hour and used only for the operations defined in the scope.
  • Refresh token does not expire. Use it to refresh access tokens when they expire.
  • You can only generate a maximum of five refresh tokens in a minute.