Zoho OAuth Token Generation
Authentication(OAuth)
Zoho Desk's APIs use the industry-standard OAuth 2.0 protocol for authentication and authorization. This protocol delegates user authentication to the service that hosts the user account and authorizes third-party applications to access the user account. Each API request must include an OAuthToken to retrieve any resource from your Zoho Desk portal.
Why should we use OAuth2.0?
Clients are not required to support password authentication or store user credentials.Clients gain delegated access, i.e., access only to resources authenticated by the user.Users can revoke the client's delegated access anytime.OAuth2.0 access tokens expire after a set time. If the client faces a security breach, user data will be compromised only until the access token is valid.
How OAuth2.0 works?

Terminologies
The following are some terms you need to know before you start using the Zoho Desk APIs.
Protected resources:
The Zoho Desk resources, such as Tickets, Contacts, Tasks, etc.
Resource server:
The Zoho Desk server that hosts protected resources.
Resource owner:
Any end-user of your account, who can grant access to the protected resources.
Client:
An application that sends requests to the resource server to access the protected resources on behalf of the end-user.
Client ID:
The consumer key generated from the connected application.
Client Secret:
The consumer secret generated from the connected application.
Authentication server:
Authentication code:
Tokens
Access Token:
A token that is sent to the resource server to access the protected resources of the user. The Access token provides secure and temporary access to Zoho Desk APIs and is used by the applications to make requests to the connected app. Each access token will be valid only for an hour and can be used only for the set of operations that are described in the scope.
Refresh Token:
A token that can be used to obtain new access tokens. This token has an unlimited lifetime until it is revoked by the end-user.
Sample Success Response
{ "access_token": "1000.67013ab3960787bcf3affae67e649fc0.83a789c859e040bf11e7d05f9c8b5ef6", "refresh_token": "1000.aed4288cd9cfb2d63d093faef1b98890.2f4aa58ddadbec9fbbfd683805da839b", "token_type": "Bearer", "expires_in": 3600 }
Step 1: Register your Application
First, register your app in Zoho's Developer Console, which you can access here.
Choose a client type
-
Java Script: Applications that run exclusively on a browser and are independent of a web server.
-
Web Based: Applications that are clients running on a dedicated HTTP server.
-
Mobile: Applications that are installed on smart phones and tablets.
-
Non-browser Mobile Applications: Applications for devices without browser provisioning such as smart TVs and printers.
-
Self Client: If your application is a stand-alone application that performs only back-end jobs like data-sync (without any manual intervention).

Generating OAuth Tokens Using Self Client
Use this method to generate the grant token if your application does not have a domain and a redirect URL.
You can also use this option when your application is a standalone server-side application performing a back-end job.
-
Go to Zoho Developer Console.
-
Choose Self Client from the list of client types, and click Create Now.
-
Click OK in the pop up to enable a self client for your account.
-
Now, your client ID and client secret are displayed under the Client Secret tab.
-
Click the Generate Code tab and enter the required scope separated by commas.
- In Scope add the following Desk.tickets.ALL,Desk.tasks.ALL,Desk.basic.READ,Desk.settings.ALL,Desk.events.ALL,Desk.articles.READ
-
Select the Time Duration for which the grant token is valid. Please note that after this time, the grant token expires.
-
Enter a description and click Generate.
-
The generated code for the specified scope is displayed. Copy the grant token.