Pre-requisite

All Zoho Sign APIs require this mandatory header.

• Authorization - Authentication request header.

Getting Started

There are six steps to access Zoho Sign APIs using OAuth:

1. Registering a new client
2. Generating grant token
3. Generating access and refresh token
4. Generating access token from refresh token
5. Revoking refresh token
6. Calling an API

Registering a new client

1. First, you need to register your application with Zoho's developer console to get your Client ID and Client Secret.
2. Log in to https://accounts.zoho.com/developerconsole
3. Click on Add Client ID
4. Provide the details and register your application
5. On successful authentication, you will be provided with Client ID and Client Secret
6. Do not share the Client ID and Client Secret with anyone

Generating grant token

1. Go to the authorization URL with the given param: https://accounts.zoho.com/oauth/v2/auth?
2. On this request, you be will taken to the user consent page.
3. Click Accept (clicking Deny will throw an error)
4. Zoho will redirect to the given redirect_uri with code and state param. This code value is mandatory to get the access token in the next step
5. The code value will be valid for 60 seconds

Generating access and refresh token

After generating the code in the above step, make a POST request for the below URL with given params, to generate the access_token.

1. https://accounts.zoho.com/oauth/v2/token?
2. In the response, you will get both access_token and refresh_token.
3. The access_token will expire after a particular period (as configured in the expires_in param).
4. The refresh_token is permanent and will be used to regenerate new access_token, if the current access token has expired.
5. Each time a re-consent page is accepted, a new refresh token is generated. The maximum limit is 20 refresh tokens per user. If this limit is reached, the first refresh token will be automatically deleted to accommodate the latest one. This is done irrespective of whether the first refresh token is in use or not.

Generating access token from refresh token

Access tokens have a limited validity. In most cases, the access tokens will expire in one hour. Until then, the access token has unlimited usage. Once it expires, your application should use the refresh token to request for a new access token. Redirect to the following POST URL with the given params to get a new access token.

Revoking refresh token

To revoke a refresh token, call the following POST URL with the given params.

https://accounts.zoho.com/oauth/v2/token/revoke?

Calling an API

Access token can be passed only in the header and cannot be passed in the request param.

• Header name should be Authorization Header value should be Zoho OAuth token {access_token}

Some tips

Zoho Sign API uses appropriate HTTP verbs for every action.

• GET - used for retrieving resources
• POST - used for creating resources and performing resource actions
• PUT - used for updating resources
• DELETE - used for deleting resources

Zoho Sign uses HTTP status codes to indicate the status of an API call. In general, status codes in the 2xx range mean success, 4xx range means there was an error in the provided information, and those in the 5xx range indicate server-side errors. Commonly used HTTP status codes are listed below.

• 200 - OK
• 400 - bad request
• 401 - unauthorized access or invalid auth token
• 404 - URL not found
• 405 - method not allowed or method you have called is not supported for the invoked API
• 500 - internal error

Zoho Sign APIs retrieves documents, templates, users and other resources - paginated to 100 items by default. The pagination information will be included in the list API response under the node name page_context.

By default, the first page will be listed. For navigating through pages, use the start_index parameter.

The row_count parameter can be used to set the number of records that you want to receive in the response.