Get access token

Get the access token from our authorization server by exchanging the authorization code.

Endpoint

CopiedPOST 	{accounts-server-url}/oauth/v2/token

Note: The accounts-server-url is specific to the location (i.e., datacenter) where the user is present. Mentioned as location in the response of the authorization request.

Query parameters

ParameterDescription
client_id

required

The unique ID of your application. You can find this in the API console.

client_secret

required

The unique secret for your app which is known only to your app and Zoho. You can find this in the API console.

grant_type

required

Should be sent with the value authorization_code.

code

required

The authorization code you received after you made the authorization code request

redirect_uri

required  

It has to be the same URI which is provided when registering the app in the API console. Should start with http:// or https://. 

For example: https://www.zylker.com/oauthredirect

Request example

Copiedhttps://accounts.zoho.com/oauth/v2/token
?client_id=1000.GMB0YULZHJK411248S8I5GZ4CHUEX0
&client_secret=122c324d3496d5d777ceeebc129470715fbb856b7
&grant_type=authorization_code
&redirect_uri=https://www.zylker.com/oauthredirect
&code=1000.86a03ca5dbfccb7445b1889b8215efb0.cad9e1ae4989a1196fe05aa729fcb4e1

Response parameters

ParameterDescription
access_tokenA token that your app needs to access the resources (as defined by the requested scopes). This token is valid for 1 hour.
refresh_tokenA special token that can be used by your app to refresh the access token once it is expired. The refresh token will be included in the response if you have passed the parameter access_type with the value offline when making the authorization code request (for the first time).
api_domainThe domain to which your app needs to make API requests, for accessing the protected resources.
token_type

Indicates the type of access token that is generated. The access tokens issued by Zoho are Bearer tokens. When your app makes API requests to access the protected resources, access tokens need to be sent using the "Authorization" header. 

Syntax: 
Authorization: Zoho-oauthtoken {access token}

expires_inIndicates the time (in seconds) in which the access token expires. The lifetime of an access token is 1 hour (3600 seconds).

Response example

Copied{   
"access_token":"1000.2deaf8d0c268e3c85daa2a013a843b10.703adef2bb337b8ca36cfc5d7b83cf24",
"refresh_token":"1000.18e983526f0ca8575ea9c53b0cd5bb58.1bd83a6f2e22c3a7e1309d96ae439cc1",
"api_domain":"https://api.zoho.com",
"token_type":"Bearer",
"expires_in":3600
}

Error codes

ErrorReasons
invalid_client
  • The accounts-server URL is invalid. Check if the URL is corresponding to the user's datacenter location. See all URLs
  • The parameter client_id is missing or its value is invalid. 
  • The value of the parameter grant_type is invalid. It must be authorization_code.
invalid_client_secret
  • The parameter client_secret is missing or its value is invalid. 
invalid_redirect_uri
  • The parameter redirect_uri is either missing or the entered URI doesn't match with the one configured in the API console. 
invalid_code
  • The parameter code is missing or its value is either invalid or already used.
  • The value of the parameter grant_type is incorrect. It must be authorization_code.
400 Bad Request
  • The HTTP method used is incorrect. It must be POST.
  • The parameter grant_type is missing.