Get an OAuth refresh token without the Postman pain.
OAuth 2.0 is mechanical but fiddly — the right scopes, the right data-center host, the code-for-token exchange the docs gloss over. OAuth Studio walks you through all three: tick the permissions in plain English, open one URL, paste the code back, and leave with a refresh + access token and the snippets to use them.
Build your scopes
Tick the permissions you need in plain English. The exact scope string — comma- or space-separated the way your provider wants it — and the full authorization URL fall out.
Authorize & grab the code
Open the URL, approve, and your app redirects back with a short-lived code. No redirect page of your own? Use our catcher — it just shows you the code and hands it back.
Exchange for tokens
Get a ready-to-run command (your secret stays in your browser) — or one-click it through a stateless edge hop. Out come your refresh + access tokens, plus the snippets to use them.
Two ways to exchange. Both honest.
Everything runs in your browser. The exchange is a command you run on your own machine, so your client secret never touches our servers — there is no server of ours in that loop at all.
Prefer one click? We forward a single request through a stateless edge function. It stores nothing and logs nothing — the secret passes through memory once and is gone. Honest wording: never stored, not never seen.
No sign-in. No database. No analytics on what you type. This page is a calculator, not an account.
Pick a provider to begin
All 6 run the same three-step wizard — configure & scope, authorize, exchange. Nothing you type is sent anywhere unless you choose the optional one-click exchange.
The bits the docs bury.
Do you store or see my client secret?
No. The default exchange is a copy-paste command you run on your own machine — your secret never leaves your browser, and there is no server of ours in that loop. The optional one-click exchange forwards a single request through a stateless edge function that stores nothing and logs nothing; the secret passes through memory once and is gone. For absolute zero-trust, use the copy-paste command.
What is the difference between an access token and a refresh token?
An access token is the short-lived key your API calls carry (often ~1 hour). A refresh token is the long-lived credential you keep — you trade it at the token endpoint for a fresh access token whenever the old one expires, without sending the user through sign-in again.
Why do I need "offline access" or access_type=offline?
Most providers only hand back a refresh token when you explicitly ask for offline access — access_type=offline + prompt=consent on Google and Zoho, the offline_access scope on Microsoft, the refresh_token scope on Salesforce. OAuth Studio adds the right signal automatically so you do not get an access token with no way to renew it.
Zoho Self Client vs a redirect flow — which do I use?
Self Client is for backend / server-to-server integrations with no user-facing login: you generate the code straight in the Zoho API Console with your scope string, no redirect URI required. Use the redirect flow when real users are signing in. The tool supports both.
My code expired or I got "invalid code" — what now?
Authorization codes are single-use and expire in minutes. Re-open the authorization URL to mint a fresh one, then exchange it promptly. Also check the redirect URI in the exchange matches the one registered in your app exactly — a mismatch is the most common cause.
Which providers are supported?
Zoho, Google, Microsoft 365, Salesforce, HubSpot, Slack. Zoho is built deepest (all eight data centers, comma-separated scopes, and Self Client). The wizard is provider-agnostic, so more can be added quickly.
Now wire it into production.
Getting the token is step zero. The real work is the pipeline behind it — auth that refreshes itself, retries, rate-limit guards, and the integration that actually moves your data. That is the day job.
Book a free callSumit Bansal — Automation Engineer