Step 1: Create authorization request

To obtain user authorization for accessing API endpoints, you must construct an authorization request link and provide a way for users to access the request link.

The authorization request link looks like the following:{scopes}&client_id={client_id}&response_type=code&access_type={"offline"or"online"}&redirect_uri={redirect_uri}

The authorization request link has the following components:

  • Accounts URL - the API domain of Bigin authorization server that authenticates a user and then prompts the user to accept or reject your client's API access request. For example,

    Note: When you create an authorization request, use for accounts hosted in US, EU, AU, and IN domains and for accounts hosted in CN. For more information, see Multi DC Support.

  • Query parameters - Along with the account URL, you must include query parameters that provide the context of a request to the authorization server.

The query parameters include the following:

response_type requiredIndicates the type of response. This parameter informs the Bigin authorization server about the type of response the client is requesting. In this case, as the Bigin uses authorization code grant type and the client requests for authorization code, set the response_type value to code.response_type = code
client_id requiredIndicates the client identifier of your web application. This parameter helps the Bigin authorization server to identify a client who is requesting user authorization. For more information about client identifier, see Register your application.client_id = 1000.690CGFL9IO0QAAXY7904YOBT4IHLGY
scope requiredIndicates the scope of the access request. This parameter informs the Bigin authorization server about the level of access the client is requesting. You can set the single scope or multiple scopes separated by a comma as shown in the example section. For more information, see Scopes.scope = ZohoBigin.modules.ALL


scope = ZohoBigin.settings.modules.READ,ZohoBigin.settings.modules.WRITE,ZohoBigin.settings.DELETE
redirect_uri requiredIndicates the URI of the page to which the Bigin authorization server sends back the response once the user grants access. The value of this parameter must be the same as the Authorized Redirect URIs value, which is specified while registering your client.redirect_uri =
access_type recommended

Indicates the type of access. The value for this parameter can be any of the following:

  • If your client needs to access resources for a short period of time when the user is present, use online. This will provide only a short-lived access token.
  • If your client needs to access resources for a long period of time even when the user is not present, use offline. This will provide both access and refresh tokens.
access_type = online


access_type = offline

A sample authorization request with required and recommended query parameters is provided in the following:,ZohoBigin.settings.modules.WRITE,ZohoBigin.settings.DELETE&access_type=offline&redirect_uri=

The above sample request has access_type as offline so it can be used to generate both access and refresh tokens.

What's next!

Step 2: Request users to grant permissions ➔