Polling request

Get the access token from the Zoho Accounts server by exchanging the device code.

Endpoint

CopiedPOST         {accounts-server-url}/oauth/v3/device/token

Note: The accounts-server-url is specific to the location (i.e., datacenter) where your app is registered.

Query parameters

ParameterDescription
client_id

required

The unique ID of your application. You can find this in the API console.

client_secret

required

The unique secret for your app which is known only to your app and Zoho. You can find this in the API console.

grant_type

required

Should be sent with the value device_token.

code

required

The device_code you received after you made the initiation request.

Request example

Copiedhttps://accounts.zoho.com/oauth/v3/device/token
?client_id=1004.JNB00640KVIR87109F4XV941E2SY22
&client_secret=215734b0b2ca5f80f058a4be261e29cbbda609c2b6
&grant_type=device_token
&code=1004.71c4b3d036cbcc5ca5e6f26e4ac0ef11.3a141ff0e7fb15cbf8fc83113b10ec6e

Polling feedback response

Once a polling request is sent, the authorization server will respond with one of the following messages.

ParameterDescription
slow_downTwo polling requests have come within 30 seconds. The device must maintain a request rate of only one request per 30 seconds.
authorization_pendingThe user hasn't entered the user_codein the verification_url and granted the requested permissions.
other_dcThe user granted permission, but the user's datacenter is different from the device's datacenter. The datacenter location of the user will also be included in the response (user_location). Subsequent polling requests from the device have to be sent to this datacenter. See Multi DC support
access_deniedThe user has denied permission.
expiredThe user hasn't done any action within the expires_in duration mentioned in the response of the initiation request, and hence, the request is expired.

Polling success response

If the user grants permission, the server will return the following parameters in the response.

ParameterDescription
access_tokenA token that your app needs to access the resources (as defined by the requested scopes). This token is valid for 1 hour.
refresh_tokenA special token that can be used by your app to refresh the access token once it is expired. The refresh token will be included in the response if you have passed the parameter access_type with the value offline when making the initiation request (for the first time).
api_domainThe domain to which your app needs to make API requests, for accessing the protected resources.
token_type

Indicates the type of access token that is generated. The access tokens issued by Zoho are Bearer tokens. When your app makes API requests to access the protected resources, access tokens need to be sent using the "Authorization" header. 

Syntax: 
Authorization: Zoho-oauthtoken {access token}

expires_inIndicates the time (in seconds) in which the access token expires. The lifetime of an access token is 1 hour (3600 seconds).

Response example

Copied{
"access_token": "1004.ce70fccd3edf901d37859fe5124ae975.f61ca1a9d7979387cc02fb3f279",
"refresh_token": "1004.7ed4fdccd7e68a9b898b6ba9538590af.f19b5b44251826323a5c2bae653fe7eb",
"api_domain": "https://www.zohoapis.com",
"token_type": "Bearer",
"expires_in": 3600
}

Error codes

ErrorReasons
invalid_client
  • The accounts-server URL is invalid. Check if the URL is corresponding to the app's datacenter location. See all URLs
  • The parameter client_id is missing or its value is invalid.
invalid_client_secret
  • The parameter client_secret is missing or its value is invalid. 
invalid_response_type
  • The value of the parameter grant_type is incorrect. It must be device_token.
invalid_code
  • The parameter code is missing or its value is either invalid or already used.
400 Bad Request
  • The HTTP method used is incorrect. It must be POST.
  • The parameter may not be spelled correctly.