OAuth 2.0 glossary

Protected resource

It is the data present in a Zoho service that the client wants to access. For example, if the client wants to access the records module in Zoho CRM using an API, then the records module is called the protected resource. This data (i.e., module) can be accessed by the client only after proper authorization using OAuth, hence then name protected resource.

Resource owner

Resource owner is the user who can grant permission to the client and in turn access to the protected resource of their Zoho account.

Resource sever

The server where the protected resources are stored, and to where the client must make API calls is called the resource server. In our case, the Zoho app which has the resource the client wants to access represents the resource server.

Authorization server

The server which grants access tokens and refresh tokens on behalf of the resource owner (i.e., the user), for the client to access protected resources is called the authorization server. In our case, Zoho Accounts is the authorization server.

Client

The application which needs access to the protected resource is called the client. The client can be a server-based application, single page JavaScript application, mobile/desktop application, or a non-browser limited input application. The client can make API requests to the resource server after successful authorization by the authorization server on behalf of the user.

Client type

Indicates the type of application you develop. The four types of clients are:

  • Server-based application
    Web applications that are built to run with a dedicated HTTP server. Follows authorization code flow of OAuth.
  • Client-based application
    Single page JavaScript applications that are built to run exclusively on browsers independent of web servers. Follows implicit flow of OAuth.
  • Mobile/desktop application
    Applications that are built to run on smartphones and tablets. Follows the authorization code flow.
  • Non-browser application
    Applications that run on devices without browsers such as TVs and printers.
  • Self-client
    Applications which doesn't have a redirect URI and is used only to fetch information automatically from your own account.
Client ID

A unique identifier for your application which you can receive when registering your application in the Zoho API console.

Client secret

A unique secret key for your application which you can receive when registering your application in the Zoho API console. Client secret is know only between your application and Zoho, therefore, must be kept confidential. (Client secret is not needed for client-based applications and will not be provided). 

Access token

Access tokens are granted by the authorization server (Zoho Accounts) and are used by the client to access the protected resources. It contains information about the user and the scopes. It essentially tells the resource owner that the bearer of this token has been authorized by the user to access the protected resource as per the scope defined. The validity of an access token is 1 hour and can be used only once.

Refresh token

Refresh tokens are used to generate a new access token after the old one expires. Refresh tokens are granted by the authorization server (Zoho Accounts) and can be stored by the client to generate access tokens whenever required.

Authorization code

For server-based applications and mobile-based applications, access tokens cannot be generated directly. Instead, the client must first get an authorization code from the authorization server (Zoho Accounts), and then exchange it for an access token. The lifetime of authorization code is only two minutes and can be used only once.