Client-based apps - Overview

What are client-based apps

Client-based apps, such as single-page JavaScript apps, perform the application logic directly in the browser using JavaScript.

These apps typically cannot securely store credentials, including client secrets, on the client-side due to the potential for exposure or compromise. Client-based apps are often referred to as "public clients" in OAuth, indicating their inability to keep credentials confidential.

For such apps, the Implicit Flow is used for obtaining access tokens. It returns the access token directly to the client-side environment as part of the redirection process. Refresh tokens are not provided in the Implicit Flow, but the app may be able to obtain new access tokens without user intervention if the user has granted permission for the session.

Implicit flow

To begin with, you need to register your app in the API console as a "client-based app". You will get a client ID. You will need it to make the API calls to receive access token. Once you receive an access token, you can use it to access the protected resources of Zoho.

The implicit flow to obtain access token is as follows:

• Step 1:

  Make a GET request to the endpoint oauth/v2/auth mentioning the required scopes. The end user will be displayed the permissions you're requesting. If the user grants access, an access token will be returned to the redirection URL. This access token will be valid for 1 hour.

  Refer API reference

• Step 2: 

  Using the received access token, you can call the Zoho APIs to access protected resources. If you need to access the resources again after the access token expires, you can obtain another access token if the user has granted access for the entire session in step 1. Send a GET request to the endpoint oauth/v2/auth/refresh to obtain another access token.

  Refer API reference

Multi DC support

In Zoho, we use different data centers (DC) to store users' information. This information is not shared between data centers. Learn more about data centers

If your app is registered in the a certain DC, to access the data of the users in other DCs, then you need to enable multi DC support for your app. After you enable this support, when you make API calls, you will have to change your endpoint URL depending on the user's DC.

• Enable multi DC support
• Workflow for client-based apps

Revoking access tokens

Access tokens can be revoked programmatically or by the user themselves. Users can go to the Connected Apps section in accounts.zoho.com and revoke the access they've granted for an app, which will revoke the access tokens.

Programmatically, access tokens can be revoked by making a POST request to the endpoint oauth/v2/token/revoke. Refer API reference