Get access token
Get the access token from our authorization server by exchanging the authorization code.
Endpoint
CopiedPOST {accounts-server-url}/oauth/v2/token
Note: The accounts-server-url is specific to the location (i.e., datacenter) where the user is present. Mentioned as location in the response of the authorization request.
Query parameters
Parameter | Description |
client_id | required The unique ID of your application. You can find this in the API console. |
client_secret | required The unique secret for your app which is known only to your app and Zoho. You can find this in the API console. |
grant_type | required Should be sent with the value authorization_code. |
code | required The authorization code you received after you made the authorization code request. |
redirect_uri | required It has to be the same URI which is provided when registering the app in the API console. Should start with http:// or https://. For example: https://www.zylker.com/oauthredirect |
Request example
Copiedhttps://accounts.zoho.com/oauth/v2/token
?client_id=1000.GMB0YULZHJK411248S8I5GZ4CHUEX0
&client_secret=122c324d3496d5d777ceeebc129470715fbb856b7
&grant_type=authorization_code
&redirect_uri=https://www.zylker.com/oauthredirect
&code=1000.86a03ca5dbfccb7445b1889b8215efb0.cad9e1ae4989a1196fe05aa729fcb4e1
Response parameters
Parameter | Description |
access_token | A token that your app needs to access the resources (as defined by the requested scopes). This token is valid for 1 hour. |
refresh_token | A special token that can be used by your app to refresh the access token once it is expired. The refresh token will be included in the response if you have passed the parameter access_type with the value offline when making the authorization code request (for the first time). |
api_domain | The domain to which your app needs to make API requests, for accessing the protected resources. |
token_type | Indicates the type of access token that is generated. The access tokens issued by Zoho are Bearer tokens. When your app makes API requests to access the protected resources, access tokens need to be sent using the "Authorization" header. Syntax: |
expires_in | Indicates the time (in seconds) in which the access token expires. The lifetime of an access token is 1 hour (3600 seconds). |
Response example
Copied{
"access_token":"1000.2deaf8d0c268e3c85daa2a013a843b10.703adef2bb337b8ca36cfc5d7b83cf24",
"refresh_token":"1000.18e983526f0ca8575ea9c53b0cd5bb58.1bd83a6f2e22c3a7e1309d96ae439cc1",
"api_domain":"https://api.zoho.com",
"token_type":"Bearer",
"expires_in":3600
}
Error codes
Error | Reasons |
invalid_client |
|
invalid_client_secret |
|
invalid_redirect_uri |
|
invalid_code |
|
400 Bad Request |
|