Step 2: Generating Grant Tokens

Zoho Thrive uses the authorization code grant type. A client application will therefore require an authorization code to get an access token. Generating this code differs based on the client type: Generating the authorization code is a one-time process provided you generate the access and refresh tokens before it expires.

1. To generate authorization code for a server-based client application
A web server-based client application is one that is used by multiple users and requires user intervention during authorization. To generate the authorization code for this type of client, you must use redirection-based code generation. The authorization flow is as follows:

The client makes an authorization request to the resource owner by accessing the URL:<client_id>&scope=<scope>&redirect_uri=<redirect_uri>&access_type=offline


scope*SCOPE for which the token is to be generated. Multiple scopes can be mentioned, separated by commas. Ex: Thrive.Referral.CREATE
client_id*Client ID is obtained during Client Registration. An opaque string that is round-tripped present in the protocol represents client_id. Whatever is the value given to this, it will be passed back to the user.
response_type*The code value is mandatory to get the access token and is valid for 60 seconds.
redirect_uri*One of the redirect URI from the above steps. This parameter should be the same redirect url mentioned while registering the Client.
access_typeThe allowed values are offline and online. By default, the value is taken as online and gives your application the access_token which is valid for one hour. The offline access_type will give the application an access_token and a refresh_token only for the first time a request is made.
promptPrompts are used for user consent each time your app tries to access user credentials. Ex: Permission to access files


  • Fields with * are mandatory.
  • If you forget your refresh_token or cannot access it, use access_type=offline and prompt=consent in your authorization request. Prompt should always be consent while requesting an access token using a refresh token.

Upon clicking Accept the request will be approved and the user will be redirected back to the URI of the client application (that was specified in the previous step) with keys in the query string. 

For example:

Key in reponseDescription
codeThis will contain the short-lived grant token that will be required to generate the access and refresh tokens.
locationThis will contain the domain location of the requesting user.
account-serverThis is the Zoho Accounts URL where the access and refresh token can be generated for the requesting user.


  • The authorization code will be valid for 1 minute
  • If the user rejects the authorization request, they'll be redirected to the URI of the client application (that was specified in the previous step) with error=access_denied in the query string.


2. To generate an authorization code for a self client

A self client is an application that does not have a domain and a redirect URI. You can also identify a standalone server-side application performing a back-end job as a self client.

  1. Go to and register a self client.
  2. Navigate to the Generate Code tab.
  3. Enter the required scopes, comma-separated.
  4. Select the time duration for which you want the authorization code to be valid.
  5. (Optional) Enter the scope description.
  6. Click CREATE.


The authorization code will be generated and displayed in a pop-up: