Polling request

Get the access token from the Zoho Accounts server by exchanging the device code.

Endpoint

CopiedPOST         {accounts-server-url}/oauth/v3/device/token

Note: The accounts-server-url is specific to the location (i.e., datacenter) where your app is registered.

Query parameters

Parameter	Description
client_id	required The unique ID of your application. You can find this in the API console.
client_secret	required The unique secret for your app which is known only to your app and Zoho. You can find this in the API console.
grant_type	required Should be sent with the value device_token.
code	required The device_code you received after you made the initiation request.

Request example

Copiedhttps://accounts.zoho.com/oauth/v3/device/token
?client_id=1004.JNB00640KVIR87109F4XV941E2SY22
&client_secret=215734b0b2ca5f80f058a4be261e29cbbda609c2b6
&grant_type=device_token
&code=1004.71c4b3d036cbcc5ca5e6f26e4ac0ef11.3a141ff0e7fb15cbf8fc83113b10ec6e

Polling feedback response

Once a polling request is sent, the authorization server will respond with one of the following messages.

Parameter	Description
slow_down	Two polling requests have come within 30 seconds. The device must maintain a request rate of only one request per 30 seconds.
authorization_pending	The user hasn't entered the user_codein the verification_url and granted the requested permissions.
other_dc	The user granted permission, but the user's datacenter is different from the device's datacenter. The datacenter location of the user will also be included in the response (user_location). Subsequent polling requests from the device have to be sent to this datacenter. See Multi DC support
access_denied	The user has denied permission.
expired	The user hasn't done any action within the expires_in duration mentioned in the response of the initiation request, and hence, the request is expired.

Polling success response

If the user grants permission, the server will return the following parameters in the response.

Parameter	Description
access_token	A token that your app needs to access the resources (as defined by the requested scopes). This token is valid for 1 hour.
refresh_token	A special token that can be used by your app to refresh the access token once it is expired. The refresh token will be included in the response if you have passed the parameter access_type with the value offline when making the initiation request (for the first time).
api_domain	The domain to which your app needs to make API requests, for accessing the protected resources.
token_type	Indicates the type of access token that is generated. The access tokens issued by Zoho are Bearer tokens. When your app makes API requests to access the protected resources, access tokens need to be sent using the "Authorization" header. Syntax: Authorization: Zoho-oauthtoken {access token}
expires_in	Indicates the time (in seconds) in which the access token expires. The lifetime of an access token is 1 hour (3600 seconds).

Response example

Copied{
"access_token": "1004.ce70fccd3edf901d37859fe5124ae975.f61ca1a9d7979387cc02fb3f279",
"refresh_token": "1004.7ed4fdccd7e68a9b898b6ba9538590af.f19b5b44251826323a5c2bae653fe7eb",
"api_domain": "https://www.zohoapis.com",
"token_type": "Bearer",
"expires_in": 3600
}

Error codes

Error	Reasons
invalid_client	The accounts-server URL is invalid. Check if the URL is corresponding to the app's datacenter location. See all URLs The parameter client_id is missing or its value is invalid.
invalid_client_secret	The parameter client_secret is missing or its value is invalid.
invalid_response_type	The value of the parameter grant_type is incorrect. It must be device_token.
invalid_code	The parameter code is missing or its value is either invalid or already used.
400 Bad Request	The HTTP method used is incorrect. It must be POST. The parameter may not be spelled correctly.