Polling request
Get the access token from the Zoho Accounts server by exchanging the device code.
Endpoint
CopiedPOST {accounts-server-url}/oauth/v3/device/token
Note: The accounts-server-url is specific to the location (i.e., datacenter) where your app is registered.
Query parameters
Parameter | Description |
client_id | required The unique ID of your application. You can find this in the API console. |
client_secret | required The unique secret for your app which is known only to your app and Zoho. You can find this in the API console. |
grant_type | required Should be sent with the value device_token. |
code | required The device_code you received after you made the initiation request. |
Request example
Copiedhttps://accounts.zoho.com/oauth/v3/device/token
?client_id=1004.JNB00640KVIR87109F4XV941E2SY22
&client_secret=215734b0b2ca5f80f058a4be261e29cbbda609c2b6
&grant_type=device_token
&code=1004.71c4b3d036cbcc5ca5e6f26e4ac0ef11.3a141ff0e7fb15cbf8fc83113b10ec6e
Polling feedback response
Once a polling request is sent, the authorization server will respond with one of the following messages.
Parameter | Description |
slow_down | Two polling requests have come within 30 seconds. The device must maintain a request rate of only one request per 30 seconds. |
authorization_pending | The user hasn't entered the user_codein the verification_url and granted the requested permissions. |
other_dc | The user granted permission, but the user's datacenter is different from the device's datacenter. The datacenter location of the user will also be included in the response (user_location). Subsequent polling requests from the device have to be sent to this datacenter. See Multi DC support |
access_denied | The user has denied permission. |
expired | The user hasn't done any action within the expires_in duration mentioned in the response of the initiation request, and hence, the request is expired. |
Polling success response
If the user grants permission, the server will return the following parameters in the response.
Parameter | Description |
access_token | A token that your app needs to access the resources (as defined by the requested scopes). This token is valid for 1 hour. |
refresh_token | A special token that can be used by your app to refresh the access token once it is expired. The refresh token will be included in the response if you have passed the parameter access_type with the value offline when making the initiation request (for the first time). |
api_domain | The domain to which your app needs to make API requests, for accessing the protected resources. |
token_type | Indicates the type of access token that is generated. The access tokens issued by Zoho are Bearer tokens. When your app makes API requests to access the protected resources, access tokens need to be sent using the "Authorization" header. Syntax: |
expires_in | Indicates the time (in seconds) in which the access token expires. The lifetime of an access token is 1 hour (3600 seconds). |
Response example
Copied{
"access_token": "1004.ce70fccd3edf901d37859fe5124ae975.f61ca1a9d7979387cc02fb3f279",
"refresh_token": "1004.7ed4fdccd7e68a9b898b6ba9538590af.f19b5b44251826323a5c2bae653fe7eb",
"api_domain": "https://www.zohoapis.com",
"token_type": "Bearer",
"expires_in": 3600
}
Error codes
Error | Reasons |
invalid_client |
|
invalid_client_secret |
|
invalid_response_type |
|
invalid_code |
|
400 Bad Request |
|