OAuth 2.0 Authentication


OAuth 2.0 is an industry-standard protocol for authentication and authorization. The framework enables a host of third-party client applications to gain secure and delegated access to protected resources in Zoho through APIs.

Some common characteristics of OAuth 2.0 are:

  • Clients are not required to support password authentication or store user credentials. API calls can be made to access resources without having to provide user credentials for each call.
  • Clients will only have access to resources authenticated by the user.
  • Users can revoke the client's delegated access at any time.
  • OAuth2.0 access tokens expire after a set time, which provides strong security.




Before you learn about the steps involved in implementing OAuth 2.0, you must understand the following terms related to OAuth 2.0 in the Catalyst context:

Key WordsDescription
Protected ResourceA Catalyst resource such as Cache, Cron, Table, or Folder
Resource ServerThe Catalyst server that hosts the Catalyst protected resources
ClientAn application that sends requests to the resource server to access the protected resources on behalf of the end-user
client_idThe unique key generated for a registered client
client_secretThe secret value generated for a specific registered client's client_id. When you register your Catalyst application in the Zoho API Console, a client_id and client_secret will be generated for it.
Authentication ServerThe Catalyst authorization server that provides the necessary credentials to a client, such as the access_token or refresh_token
Grant Token or codeCatalyst authorization server generates a temporary token and sends it to the client via the browser. The client will send this code back to the authorization server to obtain the access and refresh tokens.
access_tokenA temporary token that is sent to the resource server to access the protected resources of the user. Clients use the access_token to make requests to the associated application using the APIs. Each access_token will be valid for a set time period and can only be used to perform operations described in the scope.
refresh_tokenA token that can be used to obtain new access tokens. This token has an unlimited lifetime until it is revoked by the end-user.
ScopesScopes control the type of resources that the client application can access. Each token is usually created with selected scopes for better security. For example, you can generate an access_token with a scope to only read the data in the Data Store or File Store.The standard format to define a scope is scope=service_name.scope_name.operation_type. The next section lists the scopes available in Catalyst.