We are currently in the process of setting up API authentication for our public Postman collection, and we’re excited about the potential benefits this feature will bring to our users. We need some clarification regarding setting this up for our Postman collection - Zoho CRM REST APIs, which utilizes the OAuth2.0 protocol for authentication.
Here are a few doubts and concerns we encountered during the setup process:
- Client Details: In the authentication setup steps described in your help document, we are prompted to provide client details. Could you please clarify how these client details will be utilized? Additionally, are there any potential exposure risks associated with providing these details? Please let us know if we have any security risks on this regard.
- Scopes: Our access tokens are generated based on specified scopes. However, in our scenario, it’s challenging to determine which specific APIs the user will utilize beforehand. How can we address this situation without compromising security by providing unnecessary scopes?
- Environment Variable Handling: Our Zoho CRM APIs require domain-specific URLs for both the account and API endpoints. Within our collection, we have added variables to accommodate this variability. However, we encountered an issue where the system automatically creates a new environment when saving tokens generated via the ‘easy authentication setup.’ This separation of variables and tokens across different environments poses a risk of errors during API calls. Is there a method to ensure that generated tokens are saved within the current environment to prevent such discrepancies?
I hope that you would address our queries asap.