diff --git a/example/Keys.hs b/example/Keys.hs
--- a/example/Keys.hs
+++ b/example/Keys.hs
@@ -81,7 +81,7 @@
 
 oktaKey :: OAuth2
 oktaKey = OAuth2 { oauthClientId = "0oad3popatwUIhWV40h7"
-                 , oauthClientSecret = "YFqXRjtsy7IYRbueiG2tcgHzhaawLccxqq5ruPfN"
+                 , oauthClientSecret = "x4ycjti9-bM-dw848U9MJO77wUcF-0ToBxk_61rF"
                  , oauthCallback = Just [uri|http://localhost:9988/oauth2/callback|]
                  , oauthOAuthorizeEndpoint = [uri|https://dev-148986.oktapreview.com/oauth2/v1/authorize|]
                  , oauthAccessTokenEndpoint = [uri|https://dev-148986.oktapreview.com/oauth2/v1/token|]
@@ -94,3 +94,11 @@
                     , oauthOAuthorizeEndpoint = [uri|https://login.windows.net/common/oauth2/authorize|]
                     , oauthAccessTokenEndpoint = [uri|https://login.windows.net/common/oauth2/token|]
                     }
+
+zohoKey :: OAuth2
+zohoKey = OAuth2 { oauthClientId = "1000.U9JY0RDYUTMXCKKJFCCXL7V4QFCZ0H"
+                 , oauthClientSecret = "b6088b1a88b967be647512a63d986e043210af35a0"
+                 , oauthCallback = Just [uri|http://localhost:9988/oauth2/callback|]
+                     , oauthOAuthorizeEndpoint = [uri|https://accounts.zoho.com/oauth/v2/auth|]
+                 , oauthAccessTokenEndpoint = [uri|https://accounts.zoho.com/oauth/v2/token|]
+                 }
diff --git a/hoauth2.cabal b/hoauth2.cabal
--- a/hoauth2.cabal
+++ b/hoauth2.cabal
@@ -1,7 +1,7 @@
 Cabal-version: 2.4
 Name:                hoauth2
 -- http://wiki.haskell.org/Package_versioning_policy
-Version:             1.9.1
+Version:             1.10.1
 
 Synopsis:            Haskell OAuth2 authentication client
 
diff --git a/src/Network/OAuth/OAuth2/HttpClient.hs b/src/Network/OAuth/OAuth2/HttpClient.hs
--- a/src/Network/OAuth/OAuth2/HttpClient.hs
+++ b/src/Network/OAuth/OAuth2/HttpClient.hs
@@ -9,6 +9,7 @@
   fetchAccessToken,
   fetchAccessToken2,
   refreshAccessToken,
+  refreshAccessToken2,
 -- * AUTH requests
   authGetJSON,
   authGetBS,
@@ -38,19 +39,24 @@
 -- * Token management
 --------------------------------------------------
 
--- | Request OAuth2 Token
---   method: POST
---   authenticate in header
+-- | Fetch OAuth2 Token with authenticate in request header.
+--
+-- OAuth2 spec allows `client_id` and `client_secret` to
+-- either be sent in the header (as basic authentication)
+-- OR as form/url params.
+-- The OAuth server can choose to implement only one, or both.
+-- Unfortunately, there is no way for the OAuth client (i.e. this library) to
+-- know which method to use. Please take a look at the documentation of the
+-- service that you are integrating with and either use `fetchAccessToken` or `fetchAccessToken2`
 fetchAccessToken :: Manager                                   -- ^ HTTP connection manager
                    -> OAuth2                                  -- ^ OAuth Data
-                   -> ExchangeToken                           -- ^ OAuth 2 Tokens
+                   -> ExchangeToken                           -- ^ OAuth2 Code
                    -> IO (OAuth2Result TR.Errors OAuth2Token) -- ^ Access Token
 fetchAccessToken manager oa code = doJSONPostRequest manager oa uri body
                            where (uri, body) = accessTokenUrl oa code
 
--- | Request OAuth2 Token
---   method: POST
---   authenticate in both header and body
+-- | Please read the docs of `fetchAccessToken`.
+--
 fetchAccessToken2 :: Manager                                   -- ^ HTTP connection manager
                    -> OAuth2                                  -- ^ OAuth Data
                    -> ExchangeToken                           -- ^ OAuth 2 Tokens
@@ -62,13 +68,33 @@
                   ]
   doJSONPostRequest mgr oa url (extraBody ++ body1)
 
--- | Request a new AccessToken with the Refresh Token.
+-- | Fetch a new AccessToken with the Refresh Token with authentication in request header.
+-- OAuth2 spec allows `client_id` and `client_secret` to
+-- either be sent in the header (as basic authentication)
+-- OR as form/url params.
+-- The OAuth server can choose to implement only one, or both.
+-- Unfortunately, there is no way for the OAuth client (i.e. this library) to
+-- know which method to use. Please take a look at the documentation of the
+-- service that you are integrating with and either use `refreshAccessToken` or `refreshAccessToken2`
 refreshAccessToken :: Manager                         -- ^ HTTP connection manager.
                      -> OAuth2                       -- ^ OAuth context
                      -> RefreshToken                 -- ^ refresh token gained after authorization
                      -> IO (OAuth2Result TR.Errors OAuth2Token)
 refreshAccessToken manager oa token = doJSONPostRequest manager oa uri body
                               where (uri, body) = refreshAccessTokenUrl oa token
+
+-- | Please read the docs of `refreshAccessToken`.
+--
+refreshAccessToken2 :: Manager                         -- ^ HTTP connection manager.
+                     -> OAuth2                       -- ^ OAuth context
+                     -> RefreshToken                 -- ^ refresh token gained after authorization
+                     -> IO (OAuth2Result TR.Errors OAuth2Token)
+refreshAccessToken2 manager oa token = do
+  let (uri, body) = refreshAccessTokenUrl oa token
+  let extraBody = [ ("client_id", T.encodeUtf8 $ oauthClientId oa)
+                  , ("client_secret", T.encodeUtf8 $ oauthClientSecret oa)
+                  ]
+  doJSONPostRequest manager oa uri (extraBody ++ body)
 
 -- | Conduct post request and return response as JSON.
 doJSONPostRequest :: (FromJSON err, FromJSON a)
