An Access Token is like a temporary pass—it expires after one hour. To maintain a continuous connection between your software and Zoho Books without asking the user to log in again, you must use the Refresh Token obtained in Step 3.
At Kalki LLP, we design all our integrations to handle this "silent refresh" in the background, ensuring 24/7 uptime for your financial workflows.
To get a new Access Token, send a POST request to the Zoho Accounts URL for your region:
This request uses the refresh_token grant type. Unlike Step 2, this does not require a browser or user consent.
| Parameter | Value | Description |
refresh_token | {your_refresh_token} | The permanent token stored in your database. |
client_id | {your_client_id} | Your app's unique ID. |
client_secret | {your_client_secret} | Your app's private secret. |
grant_type | refresh_token | Tells Zoho you are renewing an existing session. |
If the refresh is successful, Zoho returns a new access_token. Note that a new refresh_token is not usually returned; you continue using the original one.
{
"access_token": "1000.new.access.token",
"api_domain": "https://www.zohoapis.in",
"token_type": "Bearer",
"expires_in": 3600
}
We recommend a "Try-Catch-Refresh" logic in your code to handle token expiration gracefully:
Attempt API Call: Use your stored access_token.
Catch Error: If the API returns a 401 Unauthorized or code: 57, it means the token has expired.
Trigger Refresh: Immediately call the Refresh Token endpoint.
Update Storage: Save the new access_token in your database/cache.
Retry API Call: Re-run the original request with the new token.
If your refresh request fails, check these specific error logs:
| Error Log | Probable Cause | Fix |
invalid_token | The Refresh Token was revoked or is incorrect. | The user may have removed your app's access in their Zoho settings. You must re-authorize (Step 2). |
invalid_client | Client ID/Secret mismatch. | Ensure you aren't using credentials from a different Zoho environment. |
too_many_requests | You are refreshing too frequently. | Only refresh when the expires_in time is nearly up or after receiving a 401 error. |
code: 57 | Calling the wrong Data Center. | If your token is for .in, you cannot call .com endpoints. |
If a project ends or a security breach is suspected, you should revoke the refresh token using the /token/revoke endpoint.
Deluge Tip for Kalki Clients:
When using Zoho Connections in Deluge, Zoho handles Step 4 automatically. You never have to write "refresh" logic if you use the connection parameter in invokeurl. This is why Kalki LLP recommends the "Connections" method for all internal Zoho automations.
Does your Zoho integration stop working every hour? The Kalki LLP technical team can implement a robust OAuth manager for your business that handles token rotations and error logging automatically.