Step 2: Authorization Request
To use the Zoho Writer APIs, the users must authenticate the application to make API calls on their behalf with an access token.
The access token, in return, must be obtained from a grant token (authorization code). The Zoho Writer APIs use the authorization code grant type to provide access to protected resources.
There are two ways in which you can generate the grant token based on the client type.
Web-based application
Web-based applications are chosen when your application is used by multiple users and requires user intervention during authorization. For this client type, you must use redirection-based code generation. In this authorization flow,
- The user clicks the Login with Zoho button on any third-party web-based application.
- The application redirects the user to the Zoho Login page, and the user enters the Zoho credentials.
HTTP Request Type: GET
- The web application redirects the user to the Zoho OAuth server with the required scope in the Accounts URL:
https://accounts.zoho.com/oauth/v2/auth?scope=ZohoWriter.documentEditor.ALL&client_id={client_id}&response_type=code&access_type={"offline"or"online"}&redirect_uri={redirect_uri}
As you can see, the request URL has the parameters "scope", "client_id", "response_type", "access_type", and "redirect_uri".
Parameter | Data Type | Description |
Mandatory Parameters | ||
scope | String | Data that your application wants to access. Refer to Scopes for more details. |
client_id | String | Client ID(consumer key) that you obtained during client registration. |
redirect_uri | String | Callback URL that you specified during client registration. |
response_time | String | Enter code (response_type = code). |
Optional Parameters | ||
access_type | String | Value can be 'offline' or 'online'. If the value is offline, you will receive a refresh token along with an access token for the first time you make the request. Once the access token expires you can use the refresh token to regenerate them. Whereas if the value is online, you will receive only an access token. Note: If the access_type is not mentioned as offline, by default it will be considered as online. |
prompt | String | If you forget your refresh token or cannot access it, use this parameter along with access_type to receive a new refresh token. Value must be 'consent'. If this parameter is included in the query, every time you generate an OAuth token, the user's consent approval will be mandatory. Example: To receive another refresh token, include access_type=offline and prompt=consent in your authorization request. |
Based on the user's login details, the system automatically detects the user's domain and uses the domain-specific authentication URL to obtain the grant token (code).
- When the user clicks Accept: The application gets authorized. The grant token is sent as a parameter in the redirect_uri.
- A back-end script from your end needs to store the following details from the above URL.
- code={grant_token} - This is used to generate access and refresh tokens.
- location={domain} - This tells you the domain of the user from which you have to make API calls.
- accounts-server={accounts_URL} - This is your accounts URL which you have to use to generate access and refresh tokens.
- The application exchanges the authorization code for an access token.
- When the user clicks Reject: The browser redirects to the redirect URI with the parameter error=access_denied, and your application is denied access to the user's data in Zoho Writer.
Note:
- The grant token is valid for only 2 minutes and can be used only once.
- The authorization URL has the scope for users. You can change the scope as per your requirement.
- Here is avideo explaining how to generate a grant token with a web-based application.
Possible Errors
Error | Reason | Resolution |
ERROR_invalid_response_type |
|
|
ERROR_invalid_client | The client ID is wrong or empty. | Pass the right client ID. You can check your client ID from the developer console. |
ERROR_invalid_redirect_uri | The redirect URI value passed, and the one registered in the developer console mismatches. | Pass the right redirect URI. |
ERROR_invalid_scope | The scope is invalid. | Pass valid scopes. You can refer to the list of scopes here. |
Self-Client option
Use this method to generate the grant token if your application does not have a domain and a redirect URL. You can also use this option when your application is a standalone server-side application performing a back-end job.
Note: Here is avideo explaining how to enable a self client for your account.
Go to Zoho Developer Console and log in with your Zoho Writer username and password.
Choose Self Client from the list of client types, and click Create Now.
Click OK in the pop up to enable a self client for your account.
Now, your client ID and client secret are displayed under the Client Secret tab.
Click the Generate Code tab and enter the required scope separated by commas. Refer to our list of Scopes, for more details. The system throws an 'Enter a valid scope' error when you enter one or more incorrect scopes.
Select the Time Duration for which the grant token is valid. Please note that after this time, the grant token expires.
Enter a description and click Create.
- The grant token code for the specified scope is displayed. Copy the grant token.
Note:
- Generating the grant token is a one-time process, provided you generate the access and refresh tokens within the time the grant token is valid for.
- Here is avideo explaining how to generate a grant token with a self client application.