Generate Access Token and Refresh Token

Once the client application receives an authorization code, it can exchange for an access token by making the following request:

Request URL

https://<base_accounts_url>/oauth/v2/token?grant_type=authorization_code&client_id=<client_id>&client_secret=<client_secret>&redirect_uri=<redirect_uri>&code=<authorization_code>

Request Method

POST

where,

base_accounts_urlThe base URL of your Zoho Account
For example, it's accounts.zoho.com if your account belongs to Zoho's US DC.
client_id & client_secretThe client credentials that were generated when you registered the client application
redirect_uriOne of the authorized redirect URIs that you associated while registering the client application
codeThe authorization code that was generated upon making the authorization request
Understanding the response

The success or failure of the API will be conveyed in its response. The response of the generate token API will include:

  • access_token

    The access token that the requesting user will need to access the resources that correspond to the scopes that were included while making the authorization request.

  • refresh_token

    The refresh token that will be required to refresh the requesting user's access token.

  • expires_in

    The time (in seconds) after which the access token will expire.

  • api_domain

    The domain where the API calls are to be made for the requesting user. Though the value will contain the zohoapis domain, the client application must use your Creator account's base URL in its API requests. For example, if your account belongs to Zoho's US DC, the client must make the API requests at creator.zoho.com

  • token_type

    This indicates the generated token's type. The value Bearer indicates that it's an access token.

Note
  • An access token is valid for only an hour and can be used only to perform the operations defined by the scopes that were included while making the authorization request.
  • A refresh token has no expiry. However, it can be revoked. It's purpose is to refresh the access token upon its expiry.
  • A maximum of five refresh tokens can be generated per minute.
Possible Errors

Sample Request

Copiedcurl "https://accounts.zoho.com/oauth/v2/token?grant_type=authorization_code&code=1000.xxxxxxd34d.xxxxxxx909a&client_id=1000.xxxxxxxxxxHF2C6H&redirect_uri=https://www.zylker.com/callback&client_secret=xxxxxxxxx4f4f7a"
-X POST

Sample Response

Copied{
    "access_token": "1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf",
    "refresh_token": "1000.3ph66exxxxxxxxxxxxx6ce34.3c4xxxxxxxxxxxxxxxf",
    "api_domain": "https://www.zohoapis.com",
    "token_type": "Bearer",
    "expires_in": 3600
}

Though the api_domain key in the response contains the zohoapis domain, the client application must use your Creator account's base URL in its API requests. For example, if your account belongs to Zoho's US DC, the client must make the API requests at creator.zoho.com