Refreshing Access Tokens

Access Tokens have limited validity, which expires in an hour. Once the access_token expires, user (or) the app will have to use the refresh token to request for a new access token. On using an expired access token, the request terminates throwing Invalid Oauthtoken.

Note: A client can create up to ten access tokens in a span of ten minutes, using a refresh token. If the limit is reached, the access token creation will be blocked for the next ten minutes.

The following POST URI with the params given below, generates a new access token.

https://<ZohoAccounts_Server_URI>/oauth/v2/token

Post

 

Parameter Name
Description
refresh_token*<refresh_token> which is obtained in the above step (Step 3)
client_id*<client_id> obtained during Client Registration (Step 1)
client_secret*<client_secret> obtained during Client Registration (Step 1)
redirect_uriThis param should be same redirect url mentioned while registering Client (Step 1).
This param is not required when self client application type is choosen during Client Registration (Step 1).
grant_type*refresh_token (provide this literal string as value)

In response, you will get a new <access_token>.

{
"access_token": "{new_access_token}",
"expires_in": 3600,
"api_domain": "https://www.zohoapis.com",
"token_type": "Bearer"
}

Calling an API using OAUTH AUTHENTICATION
Access Token can be passed only in header and cannot be passed in the request param.

  • Header name = Authorization
  • Header value = Zoho-oauthtoken<space><access_token>
  • Sample: Authorization: Zoho-oauthtoken 1000.abcde12345fgh678.ijk9