OAuth Authentication - Overview

Zoho Bookings APIs use OAuth 2.0 protocol for authentication. It is an industry standard framework that enables client applications to gain limited access to the user's data via API without giving away the credentials.

How OAuth works  

  1. The client application requests access authorization from the resource owner.

  2. The resource owner authenticates the client and provides the authorization code.

  3. The client application sends this authorization code to the authorization server for tokens.

  4. The authorization server verifies that the client is authenticated and provides access and refresh tokens.

  5. The client uses the access token as a key to access the protected resources.

  6. If the access token is valid, the resource server sends the requested resource to the client.

 

Terminology  

Terms

Description

Resource owner

An end user who can grant access to the protected resources

Protected resources

Zoho Bookings resources, such as data in your Bookings application

Client

An application that requires access to your Bookings resources

Client ID and client secret

Credentials Zoho provides to resource owner to authenticate API requests.

Authorization code

Code sent to the authorization server to obtain access and refresh tokens

Access token

Provides secure and temporary access to Zoho Bookings API, is valid for an hour, and can perform a set of operations that are described in the scope

Refresh token

Used to obtain a new access token and has unlimited lifetime until revoked

 

Scopes  

A scope is used to control the type of resources the client application can access. Currently, Bookings supports the following scope:

                                   zohobookings.data.CREATE

Tokens  

Authorization code: This code is generated after the resource owner registers the client. It is valid for less than 10 minutes (the duration can be chosen while registering the client, but it cannot be more than 10 minutes). You must generate an access token and a refresh token before this code expires.

Refresh token: This token is generated in exchange for both the authorization code and the access token. Its purpose is to a generate new access token after the old access token expires (i.e., one hour). The token has an unlimited lifetime until the user revokes it.

Access token: This is generated in exchange for the authorization code. It is valid for an hour. After it expires, you can generate new access token by using the refresh token.

 

Authentication process  

  1. Register the client and get the authorization code

  2. Generate the access and refresh tokens

  3. Refresh your access token

  4. Revoke the refresh token