Authorization Request

To use the Zoho Recruit APIs, the users must authenticate the application to make API calls on their behalf with an access token.

The access token, in return, must be obtained from a grant token (authorization code). The Zoho Recruit APIs use the authorization code grant type to provide access to protected resources.

There are two ways in which you can generate the grant token based on the client type.

Web-based application

Web-based applications are chosen when your application is used by multiple users and requires user intervention during authorization. For this client type, you must use redirection-based code generation. In this authorization flow,

  • The web application redirects the user to the Zoho OAuth server with the required scope in the Accounts URL:

    As you can see, the request URL has the parameters "scope", "client_id", "response_type", "access_type", and "redirect_uri".

    scopeData that your application wants to access. Refer to Scopes for more details.
    client_idClient ID(consumer key) that you obtained during client registration.
    redirect_uriCallback URL that you specified during client registration.
    response_typeEnter code.
    access_typeEnter access_type as online or offline. If you want to generate the refresh token, set this value as offline.
    prompt=consentTo generate refresh token.

    Based on the user's login details, the system automatically detects the user's domain and uses the domain-specific authentication URL to obtain the grant token (code).

  • When the user clicks Accept: The application gets authorized. The grant token sent as a parameter in the redirect_uri.
  • A back-end script from your end needs to store the following details from the above URL.
    • code={grant_token} - This is used to generate access and refresh tokens.
    • location={domain} - This tells you the domain of the user from which you have to make API calls.
    • accounts-server={accounts_URL} - This is your accounts URL which you have to use to generate access and refresh tokens.
  • The application exchanges the authorization code for an access token.
  • When the user clicks Reject: The browser redirects to the redirect URI with the parameter error=access_denied, and your application is denied access to the user's data in Zoho Recruit.
  • The grant token is valid only for one minute.

  • The authorization URL has the scope for Users. You can change the scope as per your requirement.

Possible Errors

  • The value of the "response_type" key is not "code".
  • You have not passed the mandatory keys in the request.
  • The value of the "response_type" key must be "code".
  • Pass all the mandatory keys in the request to generate the grant token.
ERROR_invalid_clientThe client ID is wrong or empty.Pass the right client ID. You can check your client ID from the developer console.
ERROR_invalid_redirect_uriThe redirect URI value passed, and the one registered in the developer console mismatches.Pass the right redirect URI.
ERROR_invalid_scopeThe scope is invalid.Pass valid scopes. You can refer to the list of scopes here.

Self-Client option

Use this method to generate the grant token if your application does not have a domain and a redirect URL.
You can also use this option when your application is a standalone server-side application performing a back-end job.

  1. Go to Zoho Developer Console and log in with your Zoho Recruit username and password.

  2. Choose Self Client from the list of client types, and click Create Now.

  3. Click OK in the pop up to enable a self client for your account.

  4. Now, your client ID and client secret are displayed under the Client Secret tab.

  5. Click the Generate Code tab and enter the required scope separated by commas. The system throws an 'Enter a valid scope' error when you enter one or more incorrect scopes.

  6. Select the Time Duration for which the grant token is valid. Please note that after this time, the grant token expires.

  7. Enter a description and click Generate.

  8. The generated code for the specified scope is displayed. Copy the grant token.

  • Generating the grant token is a one-time process, provided you generate the access and refresh tokens within the time the grant token is valid for.