Kaizen #191: Implementing "Login with Zoho" using Python SDK

      

Welcome back to another week of Kaizen!!

This week, we are diving into how to implement secure user authentication using Login with Zoho and integrate it with Zoho CRM through our Python SDK.

To ground this in a real-world scenario, we will look at how Zylker Academy, a training institute offering web design and development courses, uses an internal portal that connects directly to Zoho CRM. This setup allows course coordinators to manage student data without maintaining a separate backend database.

Zylker receives frequent student enquiries and uses Zoho CRM to manage all related information. Every course coordinator, academic advisor, and support staff member who needs access to student information is added as a user in Zoho CRM, with access permissions aligned to their role. Instead of using Zoho’s interface directly, Zylker’s team works through a custom internal web portal, tailored to their workflow. This portal connects directly to Zoho CRM, reading from and writing to it, but does not have its own database.

But before this portal can access any CRM data, it must authenticate itself securely. Every time a user opens the portal, they must log in with their Zoho account. Once authenticated, they will be granted access to the CRM modules and records they are authorized to work with. That is where Login with Zoho comes in.

What is "Login with Zoho"?

Login with Zoho is Zoho’s implementation of the OAuth 2.0 Authorization Code flow. It allows applications to authenticate users and access their Zoho CRM data without ever handling their passwords.

Instead of asking users for their Zoho credentials directly, the app redirects them to Zoho’s login screen. Here is how it works:

1. The app redirects the user to Zoho’s login page.
2. The user logs in and approves the requested permissions (scopes).
3. Zoho sends back an authorization code.
4. The backend exchanges this code for access and refresh tokens.
5. These tokens are used to make authenticated API calls.

This flow ensures that users maintain full control over their data. They can revoke access at any time, and your application never handles or stores passwords. 

In Zylker’s case, every time a coordinator opens the portal, they are prompted to log in with their Zoho account. Once authenticated, they can immediately begin working with student records—all backed by Zoho CRM.

Use Case Implementation: Zylker’s Student Management Portal

To demonstrate how this login flow works, we have built a stripped-down version of Zylker's portal:

• A front-end form to enter and view student data
• A backend server that interacts with Zoho CRM via the Zoho CRM Python SDK

The application includes a simple form for capturing student details—name, college, course, email, and phone number. Submitted data is treated as a Lead in Zoho CRM.

The app allows users to:

• Add new leads
• View a list of all registered leads
• Edit an existing lead’s information
• Delete records if necessary

All actions go straight to Zoho CRM using its Python SDK. But before any of this can happen, the user must complete the login flow.

Sample Project Structure

Before going into the implementation details, let us briefly define the components of the project.

Frontend

The frontend is a simple static web interface built with HTML, CSS, and JavaScript. It runs in the browser and handles user interactions and triggers backend API calls. These are the main files:

• index.html : Main UI for login, data entry, and record viewing.
• script.js : Contains the client-side logic to trigger login, submit data, and render records.
• redirect.html :  A minimal page used to capture the authorization code returned by Zoho after login.

The frontend is served using any static server (e.g., Live Server in VS Code) and runs on http://localhost:5501/ in our example. 

Download the files from here.

Configuration Notes:

• In script.js, update the redirect_url value in the login request to match your actual domain or port if you’re not using localhost:5501.
• Ensure the URL in the Zoho API Console matches this redirect URI and port.

Backend

The backend is a Python server that handles all interactions with Zoho CRM via the Python SDK. It includes:

• server.py : A custom HTTP server that:
• Generates the Zoho login URL
• Exchanges the authorization code for tokens
• Initializes the SDK
• Exposes endpoints like /create, /get_records, /update, and /delete
• record.py : Contains functions to create, fetch, update, and delete records in CRM modules like Leads. Each function uses the Zoho Python SDK methods to perform a specific operation.

This server runs on http://127.0.0.1:8085/ in our example. 

Download the files from here.

Configuration Notes:

• In server.py, replace the client_id with your actual client ID from Zoho's API Console.
• In record.py, replace the client_secret with your actual client secret.
• If required, change the front-end server’s host and port in the run() function at the bottom of server.py:
  def run(server_class=HTTPServer, handler_class=SDKInitialize, port=xxxx):

Sample project flow

      

Step 1: Register the application with Zoho API console

To initiate the login process, you need to register your application on the Zoho API Console. This is a one-time setup that provides your app with a Client ID and Client Secret, both of which are required to authenticate users and exchange authorization codes for tokens.

To register your application:

• Go to https://api-console.zoho.com
• Click Add Client
• Choose Server-based Applications
• Enter:
• Client Name: Zylker Academy
  
• Homepage URL: Use http://127.0.0.1:5501/index.html for local testing. In production, you must use a live HTTPS URL.
• Redirect URI: For instance, use http://127.0.0.1:5501/redirect.html for local testing. This is the endpoint to which Zoho redirects you and sends the authorization code after login. 
• Save the generated Client ID and Client Secret

We will be using these values in the backend script (server.py)  that handles token exchange.

NOTE: To support users from multiple data centres, make sure to enable multi-DC support for your application. You can do this by going to your app’s settings in the Zoho API Console and turning on the Multi-DC option.

Step 2: Implementing the login flow

Here is a walkthrough of the flow implemented in the project:

1. Page loads and triggers login

When a user opens the portal, the frontend automatically initiates the login sequence. It first makes a call to the backend to retrieve the Zoho authorization URL. 

In index.html, this triggers getRecords() on page load:

1. <body onload="getRecords();">

In script.js, getRecords() calls the login() function:

1. async function getRecords() {
2.     login();
3. }

The login() function sends a request to the backend to get the Zoho OAuth authorization URL.

2. Backend builds login URL

The backend responds with an OAuth URL that includes:

• Your client ID
• Scopes like ZohoCRM.modules.ALL
• The redirect URI

In server.py, under do_GET, the /login endpoint generates the OAuth URL:

1.    if parsed_url.path == '/login':
2.             redirect_url = query_params.get('redirect_url', [''])[0]
3.             scope = "ZohoCRM.settings.fields.ALL,ZohoCRM.modules.ALL,ZohoCRM.users.READ,ZohoCRM.org.READ"
4.             url = "https://accounts.zoho.com/oauth/v2/auth?scope=" + scope + "&client_id=" + self.client_id + \
5.                   "&redirect_uri=" + redirect_url + "&response_type=code&access_type=offline"
6.             self._set_headers()
7.             # Send response
8.             response = {"url": url, "redirect_url": redirect_url}
9.  self.wfile.write(json.dumps(response).encode('utf-8'))
   

Once the frontend (script.js) receives the login URL, it opens it in a popup window.

1. const response = await fetch('http://127.0.0.1:8085/login?redirect_url=http://127.0.0.1:5501/redirect.html');
2. const data = await response.json();
3. const popup = openCenteredPopup(data.url, "PopupWindow", 600, 400);
   

Here's an example of the Zoho OAuth authorization URL format:

      https://accounts.zoho.com/oauth/v2/auth?

      scope=ZohoCRM.modules.ALL&

      client_id=YOUR_CLIENT_ID&

      response_type=code&

      access_type=offline&

      redirect_uri=YOUR_REDIRECT_URI

3. User logs in on Zoho

The user logs in with their Zoho credentials and is prompted to approve the app's access. Once they approve, Zoho redirects them to the specified redirect URI along with an authorization code and location parameter. The location parameter indicates which data centre the user belongs to.

4. Frontend captures the authorization code

The redirect page, a minimal HTML file (redirect.html),  reads the URL parameters and stores them in localStorage, then closes the popup:

1. function setAccessToken() {
2.     var hashProps = getPropertiesFromURL();
3.     if (hashProps) {
4.         for (var key in hashProps) {
5.             if (hashProps.hasOwnProperty(key)) {
6.                 localStorage.setItem(key, hashProps[key]);
7.             }
8.         }
9.     }
10.     setTimeout(function () { window.close(); }, 0);
11. }
    

5. Token exchange and SDK initialization

Once the popup window is closed, the main window retrieves the authorization code and location and sends them to the backend’s /initialize endpoint.

In script.js:

1. var code = localStorage.getItem("code");
2. var location = localStorage.getItem("location");
3. initialize(code, location, data.redirect_url);
4. .
5. .
6. async function initialize(code, location, redirect_url) {
7.     const response = await fetch('http://127.0.0.1:8085/initialize?code=' + code + '&location=' + location + '&redirect_url=' + redirect_url);
8. }
   

In server.py, the /initialize endpoint handles SDK initialization:

1. elif parsed_url.path == '/initialize':
2.     code = query_params.get('code', [''])[0]
3.     location = query_params.get('location', [''])[0]
4.     redirect_url = query_params.get('redirect_url', [''])[0]
5.     LeadsRecords().init(self.client_id, code, location, redirect_url)
   

In record.py, the SDK is initialized and tokens are stored.

1. token = OAuthToken(client_id=client_id,
2.                    client_secret=client_secret,
3.                    grant_token=code,
4.                    redirect_url=redirect_url)
5. Initializer.initialize(environment=environment,
6.                        token=token,
7.                        logger=logger,
8.                        store=store)  # FilePersistence or custom store
   

This exchanges the authorization code for:

• An access token (valid for one hour)
• A refresh token (used to get new access tokens)

These tokens are saved in a local file (sdk_tokens.json). This is configured using Zoho’s FilePersistence class during SDK initialization 

How are tokens linked to users?

The SDK maps each access and refresh token pair to a unique user-organization combination. This means tokens generated for different organizations by the same user are stored separately. Likewise, if a user generates new tokens for the same organization, the SDK updates the existing tokens instead of creating duplicates. This ensures that API calls always use the correct tokens tied to the authenticated user and their organization. 

To enable this mapping, the SDK retrieves the user and organization information in the background. This requires the appropriate scopes to be included during authentication, ZohoCRM.users.READ and ZohoCRM.org.READ. Without these scopes, the SDK cannot identify the user-org combination correctly, which can lead to multiple token entries for the same user. That is why, in our sample project, we have included these scopes explicitly in the server.py file during the SDK initialization.

Once the SDK is initialized, the user is logged in, and the app can begin making CRM API calls on their behalf.

Step 3: Accessing Zoho CRM

Once the user is authenticated and the Zoho SDK is initialized on the backend, the frontend can call custom backend endpoints like /create or /get_records. These endpoints use the authenticated SDK instance to make CRM API calls on behalf of the user.

• GET /get_records?module=Leads : View all students
• POST /create?module=Leads : Add new student
• PUT /update?module=Leads&id=... : Edit existing entry
• DELETE /delete?module=Leads&id=... : Remove existing entry
  

Deploying the sample project

To run this application, you will need two components:

1. A frontend server to serve your HTML files (index.html, script.js, redirect.html). This can be done using any static web server (e.g., Live Server in VS Code).
2. A Python backend server that handles login, token storage, and CRM API communication. You can run it using:
   python server.py

In the given example, both servers communicate over localhost. You should set your redirect URI accordingly when registering your app in the Zoho console.

Conclusion

Login with Zoho is a secure, OAuth-based mechanism that allows users to authorize your application to access their Zoho CRM data. In this example, we built a real-world use case, a student portal for Zylker Academy, that authenticates users and interacts with CRM directly using the Zoho CRM Python SDK.

By walking through the entire flow, you now understand:

• Why OAuth is essential for secure CRM access
• How to register an application in Zoho
• What the login and token exchange flow looks like
• How to implement "Login with Zoho" in your applications

What is next?

In this project, we have used a simple file persistence method to store the token files. But in a real world scenario, this may not always meet your business requirements. In next week's Kaizen, we will implement custom token persistence instead of file persistence in the current project. We will explain how to implement this using SQLite, In-Memory and List DBs. With that, you will be equipped to implement a persistence method that fits your application architecture and deployment environment.

We hope that you found this useful. If you have any queries, let us know the comments below, or send an email to support@zohocrm.com. As always, we would love to hear from you!!

Stay tuned for next week's Kaizen : Implementing Custom Token Persistence 

             Previous Kaizen: Kaizen #190 - Queries in Custom Related Lists |  Kaizen Directory                                  

Download Links:

• Frontend Project Files 
  
• Backend Server Files             

Further Reading:

• Configuration and Initialization of Zoho CRM Python SDK (V7) for different client types
  
• Zoho CRM Scala SDK (V6) - Configuration and Initialization
  
• Zoho CRM SDKs                                                                                                                                                    

• Topic Participants

• Anu Abraham

  

• Sticky Posts

• Kaizen #198: Using Client Script for Custom Validation in Blueprint

  Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

• Kaizen #226: Using ZRC in Client Script

  Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

• Kaizen #222 - Client Script Support for Notes Related List

  Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

• Kaizen #217 - Actions APIs : Tasks

  Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

• Kaizen #216 - Actions APIs : Email Notifications

  Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

• Recent Topics

• Customer Satisfaction (CSAT) Report

  From data to decisions: A deep dive into ticketing system reports The customer satisfaction (CSAT) report helps teams understand how customers feel about their support experience, identify service gaps, and continuously improve the help desk. It turns

• Timeline Tracking Support for records updates via module import and bulk write api

  Note: This update is currently available in Early Access and will soon be rolled out across all data centers (DCs) and for all editions of Zoho CRM. The update will be available to all users within your organization, regardless of their profiles or roles.

• Shifts in Zoho People vs Zoho Shifts?

  Hello Zoho People Team, We hope you are doing well. We are evaluating the Shifts functionality within Zoho People and comparing it to the standalone Zoho Shifts product. We’ve encountered comments and discussions suggesting that the Shifts feature inside

• Disable fields in During action in Blueprint?

  Hi there. I've tried field disable (setReadOnly(true)) using client script and the event is onMandatoryFormLoad on detail page, assuming it'll work on blueprint fields, but it bears no result. Is this the expected behaviour? That we can't do this yet?

• Develop and publish a Zoho Recruit extension on the marketplace

  Hi, I'd like to develop a new extension for Zoho Recruit. I've started to use Zoho Developers creating a Zoho CRM extension. But when I try to create a new extension here https://sigma.zoho.com/workspace/testtesttestest/apps/new I d'ont see the option of Zoho Recruit (only CRM, Desk, Projects...). I do see extensions for Zoho Recruit in the marketplace. How would I go about to create one if the option is not available in sigma ? Cheers, Rémi.

• Allow Managers to Create Shifts for Their Departments in Zoho People

  Hello Zoho People Product Team, Greetings and hope you are doing well. This feature request is related to Zoho People - please don't move it to zoho one! We would like to submit a feature request regarding shift management permissions in Zoho People.

• Zoho Learn and Zoho CRM integration

  I would like to see an integration between Zoho Learn and Zoho CRM. 1. To be able to add articles in a related list in all modules 2. Zia to suggest related articles in a Deal or Case or Lead 3. Ability to read / search articles during a call / follow

• Maintain steady traffic to your domain: How Domain Aliasing helps

  Consider this scenario: An organization has its primary domain as administrator.com. Now it wants to shorten its domain to admin.com because it's simpler and easier to remember. However, changing the domain completely can cause the following problems:

• Why Sharing Rules do Not support relative date comparison???

  I am creating a Sharing Rule and simply want to share where "Last Day of Coverage" (Date field) is Greater than TODAY (Starting Tomorrow). However, sharing rules don't have the option to compare a date field to a relative date (like today), only to Static

• Workflow rule only allows 10 workflow per module

  Apparently a Zoho professional edition only allows 10 workflow rules per module. This makes workflow allocation literally impossible while allocating potential to different members of the team. I have 15 licenses. Is there a way in which related alerts can be varied? In other words, is it possible to have different related alerts be triggered with different rule criteria. so if I say, if potential is 'x' then trigger related alert 'x' and if potential is 'y' then trigger related alert 'y' Thanks,

• IF Statement in Zoho CRM Formula Field

  Hi, I am attempting to write a formula field that will give me one result if one statement AND another statement are true, then a different value if the first statement AND a different statement are true, else 0. Stated differently: if account = destination

• Editing the Ticket Properties column

  This is going to sound like a dumb question, but I cannot figure out how to configure/edit the sections (and their fields) in this column: For example, we have a custom "Resolution" field, which parked itself in the "Ticket Information" section of this

• "Total Hours" on Employee Attendance Report

  I'm learning that in Zoho jargon, "total hours" does not include paid breaks. Or at least not the way that my setup is working. That seems a little weird to me, since most jurisdictions in the US don't differentiate between time spent on paid break and

• Integration with...

  Dear Zoho Commerce team, Please could you consider the integration within Zoho Commerce / Inventory and Qapla'? (https://www.qapla.it/en/) This app is better than Aftership in many ways: - Aftership integration require PRO plan and price start from more

• Create case via email

  Good Afternoon, I have just registered and am taking a look around the system. Is it possible to create a case via email.  I.e. an employee/client/supplier emails a certain address and that auto generates the case which then prompts a member of staff

• Locked Notebook

  Hi, I hadn't used my Notebook in some time and was refamiliarizing myself with it. I clicked a lock icon and now I can't unlock. When I hit the information or unlock icons I'm taken to a page with the notebook icon and a keyboard. When I type, nothing

• Hide fields only for creation

  Hello, I'd like to hide some fields only during the creation of a contact in Zoho CRM. In fact I have some fields that are automatically calculated thanks to an automation, so when my users create a contact I don't want them to fill those fields. I know

• Issues with Zoho Sheet in Mac

  I have downloaded the Zoho App from App Store but It is failing to Save As, Open & Download Operations. App Store

• Weekly Sales Summary

  Is it possible to generate a weekly report in Zoho Books to show -$$ amount of estimates generated -# of estimates generated by Salesperson -$$ amount of Sales Orders created -$$ amount of Invoices generated

• Add Account column to Invoice screen

  Please show the account column on Invoice creation screen. It is an unnecessary step to have to click add additional info and then select the account for line item. Example : on the bill creation screen when entering description we can easily code it against an account. On the invoice screen it requires additional click. Adding the column on the Invoice screen will make it faster to enter transactions. We currently have 5-6 different accounts that we code line items against, You can imagine the extra

• Custom Footer – Zoho Writer Document

  Hello everyone, I’m having an issue adding a custom footer in a Zoho Writer document. I would like to insert my company information (including a logo + address) in the footer. The problem is that when I add these elements, the main content of my pages

• Report grouping

  I have added a grouping in a report but it is not working how i had expected. I wanted to group a summary on a field named Size but when i add the grouping the report is still showing me each record and making a summary at the bottom of the report. What

• Social Media Simplified with Zoho Social: Preview your Instagram grid before posting

  For a platform like Instagram that relies on visual appeal, it's important that you plan your image and video content in a way that holds your audience's attention. Planning your grid ahead of time gives you the benefit of understanding how your posts

• Error code 1000

  Can you please tell me why the following, occasionally causes this error via the api, not every time ?... zoho.books.updateRecord("salesorders",organizationID,salesorderID,{"template_id":"#################069","custom_fields":[{"label":"DelDate","value":"Tuesday,

• VAT rates - exempt and out of scope

  Good Evening, UK based company here. I am a bit confused in respect of setting up VAT rates for exempt goods and services; at present I am simply leaving the VAT rate blank in the transactions in order to prevent any VAT appearing in the VAT return. When

• How to loop through Multiple Upload and Display Actual File Name

  I have been reading the help on the File Upload Control and reviewed the Deluge help on files and I can not figure out how to loop through the uploaded files and do anything but get the automatically created file names. The code below will run but each

• abou arattai

  I want to use the Arattai app for business purposes, so please convert my account to a business account.I have my own invoice app, and I want to link it with the Arattai app for direct messaging.

• Configurable Zoho Cliq Notifications for Zoho People Alerts

  Hello Zoho People Product Team, Greetings and hope you are doing well. We would like to request an enhancement to Zoho People notifications, enabling a native delivery via Zoho Cliq with admin-level control, similar to the notification settings available

• Looking back at Zoho Calendar in 2025

  Hello Zoho Calendar Community, As we step into a brand-new year, we’d like to take a moment to thank you for being an active and valued part of the Zoho Calendar community. Your trust, feedback, and continued engagement motivate us to keep evolving and

• There was an error while connecting to GSTN

  I am trying to file GSTR1. Everything flows smoothly until I reach the final step of filing the return. After I enter the PAN and OTP for filing it raises the error "There was an error while connecting to GSTN"

• Zoho Books Extension: What Happens If Custom Fields Already Exist?

  When developing Zoho Books extensions, what happens if the target Zoho Books organization already has a custom field with the same API name as one defined in the extension? I’m asking because we originally created an on-Books version of this functionality,

• Internal Server Error (500) When Attempting to View Banking Transactions

  I am experiencing an Internal Server Error (500) when attempting to view transactions across all of my banking accounts. Despite multiple attempts to resolve this, I have received little more than runaround from support, and the issue remains unresolved.

• How do I add a blank line to the Organisation Address Format?

  I'd like to have my VAT number, for example, shown prominently by having a clear gap between it and the address block above, but any blank lines in the address format get ignored in PDF outputs.

• Automatic Invoice Number generation for createRecord

  Hello, while testing some custom Buttons in my Zoho Books application, I noticed that I get an error that previously did not occur. After some further digging I found that the automatic transaction numbering of invoices no longer work in my organization.

• Adding number of days to an estimate.

  I need both QTY of item and "number of days hire" in my estimates at the line item level. Any clues as to how this is done would be greatly appreciated. It needs to calculate. Thanks J

• Books Api: listing expenses created after certain dates

  Is there any parameter I can add to the List Expenses endpoint that will let me look up expenses by when they were created?

• Why can't we change the Account type from an Expense to an Asset?

  Like the question. Why in QuickBooks for example if I mistakenly created an account as an expenses and I already captured information in those accounts, I can just change the account type from expense to asset

• Is it possible to do validation for the Actions added to Reports?

  We have an all-around On Validate function that checks all the possibilities before the Created/Edited form submissions. We want to have a button in the report view, so we can change records without entering. We are able to add this button, and it does

• [Free Webinar] Environments in Zoho Creator - Creator Tech Connect

  Hello Everyone, We’re delighted to kick off the 2026 edition of the Zoho Creator Tech Connect Series and are excited to continue this learning journey with you. The Creator Tech Connect series is a free monthly webinar featuring deep-dive technical sessions

• Zoho Voice API SMS

  I made a post request in Zapier to try to send an SMS. Authentication appears to be configured correctly. I followed the documentation and I'm getting a 400 Error "Internal Server Error". Not helpful at all. Anyways, I could not find any information on

• Next Page