Step 3: Get access tokens using authorization code

The client must obtain an access token to authenticate API requests that are sent to the Bigin server. The Bigin authorization server approves the client's request to exchange the authorization code with an access token or access and refresh token pair that appears as a string and consists of specific scope, lifetime and other access properties. While making requests to access protected resources in Bigin, you must pass the access token as a bearer token.

Request URL


You must use domain-specific accounts URL to generate access and refresh tokens. Based on the domain location of the user, you should replace {accounts-server} with any of the following domain-specific accounts URL:

  • For US,
  • For AU,
  • For EU,
  • For IN,
  • For CN,
  • For JP,

For example, if the user's domain location is US, you should make an access token request using

You can refer to the user's domain location from the redirect URI response.


Request parameters

In the sample request, we used request parameters as query parameters so that you can try our API. In the real time scenario, we recommend you to pass the request parameters in the request body as form-data.

The request parameters are given below:

client_id stringrequired

Indicates the client identifier of your web application. This parameter helps the Bigin authorization server to identify a client who is requesting a new access token.

For example,


client_secret stringrequired

Indicates the client secret of your web application. This parameter helps to authenticate your application with the Bigin authorization server.

For example,


code stringrequired

This code exchanges with the Bigin authorization server for key access tokens. Copy and paste the authorization code that is given as code in the redirect URI.

For example,


redirect_uri stringrequired

An Authorized Redirect URI is specified during the registration of your application with the authorization server.

For example,


grant_type stringrequired

The grant_type lets the authorization server know about the type of authorization grant. As your application is using the authorization code grant type, always specify the value as authorization_code for this parameter.

For example,


Sample request

Copiedcurl -X POST ""

Response object

The response object contains the following details:

access_token string

A temporary key token that is used to access Bigin resources. You can add the access token value to the authorization header of all Bigin APIs.

Note: This value is valid up to 1 hour and must be used only for the operations defined in the scope.

refresh_token string

A key token that is used to generate new access tokens without user consent.

The refresh token only generates when you set the access-type parameter to offline in the authorization code request.
There is no expiry time limit for refresh tokens. You can generate up to five access tokens in a minute.

scope string

A space-delimited list of scopes that are associated with the access token.

api_domain string

The Domain name of Bigin APIs. You can use this domain name to access Bigin resources.

token_type string

The type of token obtained. It'll be Bearer for access tokens.

expires_in number

The number of seconds after which the access token expires.


Possible errors

The response of this resource includes HTTP status and error codes.

The most common errors that occur when you request access to this endpoint are given in the following:

invalid_client 200 OK
Reason 1: Invalid Client ID or Client secret is passed

Resolution: Provide a valid Client ID and Client secret.

Reason 2: Domain mismatch

Resolution: Generate the authorization code and access/refresh token pair from the same domain using the same domain URL. Alternatively, enable multi-dc for your application to generate tokens from any domain.

Reason 3: An invalid client secret is passed when multi-dc is enabled for your application

Resolution: When multi-dc is enabled, each data center has a separate client secret. Make sure to pass the valid client secret to the correct data center.

invalid_code 200 OK
Reason 1: The Authorization code is expired

Resolution: The authorization code is valid only for one minute in the redirection-based flow. Generate the access and refresh tokens before the grant token expires.

Reason 2: The Authorization code is reused

Resolution: Use the authorization code only once. If you have already used the authorization code once, generate the new code and then request for access tokens.

Reason 3: Invalid or revoked refresh token is passed

Resolution: Provide the valid refresh token while refreshing an access token.

Reason 4: Redirect URI mismatch

The redirect URI in the request mismatches the one registered in the developer console.

Resolution: Provide the same redirect URI you've specified while registering your application in the API console.

What's next

Step 4: Use access tokens in API requests ➔

Sample JSON response

    "access_token": "1000.c9a82de89509322214a396bc666388a8.95d91b2e5b1cd1570346adf30c8a8ea7",
    "refresh_token": "1000.1c22b605bebf0c0ce535590352110f2a.276ce629b4789681eabe632ca0d572fe",
    "scope": "ZohoBigin.modules.READ ZohoBigin.modules.CREATE ZohoBigin.modules.UPDATE ZohoBigin.modules.DELETE",
    "api_domain": "",
    "token_type": "Bearer",
    "expires_in": 3600