Step 3: Generate Access and Refresh Token
Once the client application receives an authorization code, it can exchange for an access token by making the following request:
Request URL
https://<base_accounts_url>/oauth/v2/token?grant_type=authorization_code&client_id=<client_id>&client_secret=<client_secret>&redirect_uri=<redirect_uri>&code=<authorization_code>
Request Method
POST
where,
| Parameter | Description |
|---|---|
| code* | The authorization code that was generated previously upon making the authorization request |
| client_id* | Client ID is obtained during our previous Client Registration step. |
| client_secret* | The client secret is obtained during our previous Client Registration step. |
| redirect_uri* | This parameter should be the same redirect URI mentioned while adding Client. |
| grant_type* | authorization_code |
| base_account_url | The base URL of your Zoho Account For example, it's accounts.zoho.com if your account belongs to Zoho's US DC |
In the above response, you will get both access_token and refresh_token.
- The access_token will expire after a particular period. The access token that the requesting user will need to access the resources that correspond to the scopes that were included while making the authorization request.
- The refresh_token is permanent and the refresh token will be required to refresh the requesting user's access token.
Note: Each time a re-consent page is accepted, a new refresh token is generated. The maximum limit is 20 to refresh Tokens per user. If this limit is crossed, the first refresh Token is automatically deleted to accommodate the latest one. This is done irrespective of whether the first refresh Token is in use or not.
Understanding the response
The success or failure of the API will be conveyed in its response. The response of the generate token API will include:
expires_in
The time (in seconds) after which the access token will expire.
api_domain
The domain where the API calls are to be made for the requesting user. Though the value will contain the zohoapis domain, the client application must use your Thrive account's base URL in its API requests. For example, if your account belongs to Zoho's US DC, the client must make the API requests at thrive.zoho.com
token_type
This indicates the generated token's type. The value Bearer indicates that it's an access token.
Note:
- An access token is valid for only an hour and can be used only to perform the operations defined by the scopes that were included while making the authorization request.
- A refresh token has no expiry. However, it can be revoked. Its purpose is to refresh the access token upon its expiry.
- A maximum of five refresh tokens can be generated per minute.
Possible Errors
invalid_client
Ensure that you have passed the right client ID and client secret.
Ensure that you have used the same Zoho account base URL that you used while making the authorization request.
invalid_code
The authorization code that you generated may either have expired or already been exchanged for an access token.
The refresh token that was used to generate the access token may either have expired or been revoked.
invalid_redirect_uri
The redirect URI given in the request is not one that was associated while registering the client application.
Sample Request
Copiedcurl
"https://accounts.zoho.com/oauth/v2/token?grant_type=authorization_code&code=1000.xxxxxxd34d.xxxxxxx909a&client_id=1000.xxxxxxxxxxHF2C6H&redirect_uri=https://www.zylker.com/callback&client_secret=xxxxxxxxx4f4f7a" -X POSTSample Response
Copied{
"access_token": "1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf",
"refresh_token": "1000.3ph66exxxxxxxxxxxxx6ce34.3c4xxxxxxxxxxxxxxxf",
"api_domain": "https://www.zohoapis.com",
"token_type": "Bearer",
"expires_in": 3600
}