Refresh access token

When the access token expires, your app can obtain a new one without user intervention, provided the session is active. However, this requires the user to have granted permission for the app to refresh the token.

If the user grants permission, the granted_for_session parameter will be returned as true in the response to the access token request; otherwise, this parameter won't be returned.

Token refresh behavior

If permission is granted and the user's session is active:

You can obtain a new access token by making a request to the oauth/v2/auth/refresh endpoint.

If permission is not granted or the user's session has expired/terminated:

You must prompt the user to reauthenticate to obtain a new access token.

Endpoint

CopiedGET	 	{accounts-server-url}/oauth/v2/auth/refresh

Note: The accounts-server-url is specific to the location (i.e., datacenter) where your app is registered.

Query parameters

Parameter	Description
client_id	required The unique ID of your application. You can find this in the API console.
response_type	required Should be sent with the value token.
redirect_uri	required The URI to which the authorization server will redirect the browser back with the access token. It has to be the same URI which is provided when registering the app in the API console. Should start with http:// or https://. For example: https://www.zylker.com/oauthredirect
scope	required The scopes to include in the new access token. Only scopes that were previously granted by the user in the oauth/v2/auth request can be included. New scopes cannot be added.

Request example

Copiedhttps://accounts.zoho.com/oauth/v2/auth/refresh
?response_type=token
&client_id=1000.GMB0YULZHJK411284S8I5GZ4CHUEX0
&redirect_uri=https://www.zylker.com/oauthredirect
&scope=AaaServer.profile.Read

Response parameters

After verifying your app, the access token will be sent to the redirect_uri.

Parameter	Description
access_token	A token that your app needs to access the resources (as defined by the requested scopes). This token is valid for 1 hour.
api_domain	The domain to which your app needs to make API requests, for accessing the protected resources.
location	Indicates the data center (DC) location of the user (i.e., where their account is stored).
expires_in	Indicates the time (in seconds) in which the access token expires. The lifetime of an access token is 1 hour (3600 seconds).

Response example

Copiedhttps://www.zylker.com/oauthredirect
#access_token=1000.2350e7afbb173426e5fe3e5977db2f69.0cddd2403ee2e6309d44e7007bf21c05
&expires_in=3600
&location=in
&api_domain=https://www.zohoapis.in

Error codes

Error	Description
client_not_granted	User didn't grant permission for the entire session. So, access token can't be refreshed. The session has been terminated.
prompt_required	At least one of the scopes in this request was not granted during the initial oauth/v2/auth request. In a refresh request, you can only include scopes that the user has already approved.
OAuthErrorCode.invalid_scope	The parameter scope is missing.
general_error	At least one of the included scopes doesn't exist.
An error occurred/40 bad request	The parameter client_id is spelled incorrectly. The value of the parameter response_type is invalid. The parameter redirect_uri is spelled incorrectly. The HTTP method used is incorrect. It must be GET.
OAuthErrorCode.invalid_client	The parameter client_id is missing or its value is invalid. The parameter response_type is missing or its value is incorrect. It must be token.
OAuthErrorCode.invlid_redirect_uri	The parameter redirect_uri is missing or the entered URI doesn't match with the one configured in the API console.