Kaizen #191: Implementing "Login with Zoho" using Python SDK

Kaizen #191: Implementing "Login with Zoho" using Python SDK

      
Welcome back to another week of Kaizen!!

This week, we are diving into how to implement secure user authentication using Login with Zoho and integrate it with Zoho CRM through our Python SDK.

To ground this in a real-world scenario, we will look at how Zylker Academy, a training institute offering web design and development courses, uses an internal portal that connects directly to Zoho CRM. This setup allows course coordinators to manage student data without maintaining a separate backend database.

Zylker receives frequent student enquiries and uses Zoho CRM to manage all related information. Every course coordinator, academic advisor, and support staff member who needs access to student information is added as a user in Zoho CRM, with access permissions aligned to their role. Instead of using Zoho’s interface directly, Zylker’s team works through a custom internal web portal, tailored to their workflow. This portal connects directly to Zoho CRM, reading from and writing to it, but does not have its own database.

But before this portal can access any CRM data, it must authenticate itself securely. Every time a user opens the portal, they must log in with their Zoho account. Once authenticated, they will be granted access to the CRM modules and records they are authorized to work with. That is where Login with Zoho comes in.

What is "Login with Zoho"?

Login with Zoho is Zoho’s implementation of the OAuth 2.0 Authorization Code flow. It allows applications to authenticate users and access their Zoho CRM data without ever handling their passwords.
Instead of asking users for their Zoho credentials directly, the app redirects them to Zoho’s login screen. Here is how it works:
  1. The app redirects the user to Zoho’s login page.
  2. The user logs in and approves the requested permissions (scopes).
  3. Zoho sends back an authorization code.
  4. The backend exchanges this code for access and refresh tokens.
  5. These tokens are used to make authenticated API calls.
This flow ensures that users maintain full control over their data. They can revoke access at any time, and your application never handles or stores passwords. 
In Zylker’s case, every time a coordinator opens the portal, they are prompted to log in with their Zoho account. Once authenticated, they can immediately begin working with student records—all backed by Zoho CRM.

Use Case Implementation: Zylker’s Student Management Portal

To demonstrate how this login flow works, we have built a stripped-down version of Zylker's portal:
  • A front-end form to enter and view student data
  • A backend server that interacts with Zoho CRM via the Zoho CRM Python SDK
The application includes a simple form for capturing student details—name, college, course, email, and phone number. Submitted data is treated as a Lead in Zoho CRM.
The app allows users to:
  • Add new leads
  • View a list of all registered leads
  • Edit an existing lead’s information
  • Delete records if necessary
All actions go straight to Zoho CRM using its Python SDK. But before any of this can happen, the user must complete the login flow.

Sample Project Structure

Before going into the implementation details, let us briefly define the components of the project.

Frontend
The frontend is a simple static web interface built with HTML, CSS, and JavaScript. It runs in the browser and handles user interactions and triggers backend API calls. These are the main files:
  • index.html : Main UI for login, data entry, and record viewing.
  • script.js : Contains the client-side logic to trigger login, submit data, and render records.
  • redirect.html :  A minimal page used to capture the authorization code returned by Zoho after login.
The frontend is served using any static server (e.g., Live Server in VS Code) and runs on http://localhost:5501/ in our example. 
Download the files from here.
Configuration Notes:
  • In script.js, update the redirect_url value in the login request to match your actual domain or port if you’re not using localhost:5501.
  • Ensure the URL in the Zoho API Console matches this redirect URI and port.
Backend
The backend is a Python server that handles all interactions with Zoho CRM via the Python SDK. It includes:
  • server.py : A custom HTTP server that:
    • Generates the Zoho login URL
    • Exchanges the authorization code for tokens
    • Initializes the SDK
    • Exposes endpoints like /create, /get_records, /update, and /delete
  • record.py : Contains functions to create, fetch, update, and delete records in CRM modules like Leads. Each function uses the Zoho Python SDK methods to perform a specific operation.
This server runs on http://127.0.0.1:8085/ in our example. 

Download the files from here.
Configuration Notes:
  • In server.py, replace the client_id with your actual client ID from Zoho's API Console.
  • In record.py, replace the client_secret with your actual client secret.
  • If required, change the front-end server’s host and port in the run() function at the bottom of server.py:
    def run(server_class=HTTPServer, handler_class=SDKInitialize, port=xxxx):

Sample project flow

      

Step 1: Register the application with Zoho API console

To initiate the login process, you need to register your application on the Zoho API Console. This is a one-time setup that provides your app with a Client ID and Client Secret, both of which are required to authenticate users and exchange authorization codes for tokens.
To register your application:
We will be using these values in the backend script (server.py)  that handles token exchange.

NotesNOTE: To support users from multiple data centres, make sure to enable multi-DC support for your application. You can do this by going to your app’s settings in the Zoho API Console and turning on the Multi-DC option.

Step 2: Implementing the login flow

Here is a walkthrough of the flow implemented in the project:

1. Page loads and triggers login

When a user opens the portal, the frontend automatically initiates the login sequence. It first makes a call to the backend to retrieve the Zoho authorization URL. 

In index.html, this triggers getRecords() on page load:
  1. <body onload="getRecords();">
In script.js, getRecords() calls the login() function:
  1. async function getRecords() {
  2.     login();
  3. }
The login() function sends a request to the backend to get the Zoho OAuth authorization URL.

2. Backend builds login URL

The backend responds with an OAuth URL that includes:
  • Your client ID
  • Scopes like ZohoCRM.modules.ALL
  • The redirect URI
In server.py, under do_GET, the /login endpoint generates the OAuth URL:
  1.    if parsed_url.path == '/login':
  2.             redirect_url = query_params.get('redirect_url', [''])[0]
  3.             scope = "ZohoCRM.settings.fields.ALL,ZohoCRM.modules.ALL,ZohoCRM.users.READ,ZohoCRM.org.READ"
  4.             url = "https://accounts.zoho.com/oauth/v2/auth?scope=" + scope + "&client_id=" + self.client_id + \
  5.                   "&redirect_uri=" + redirect_url + "&response_type=code&access_type=offline"
  6.             self._set_headers()
  7.             # Send response
  8.             response = {"url": url, "redirect_url": redirect_url}
  9.  self.wfile.write(json.dumps(response).encode('utf-8'))
Once the frontend (script.js) receives the login URL, it opens it in a popup window.
  1. const response = await fetch('http://127.0.0.1:8085/login?redirect_url=http://127.0.0.1:5501/redirect.html');
  2. const data = await response.json();
  3. const popup = openCenteredPopup(data.url, "PopupWindow", 600, 400);
Here's an example of the Zoho OAuth authorization URL format:
      scope=ZohoCRM.modules.ALL&
      client_id=YOUR_CLIENT_ID&
      response_type=code&
      access_type=offline&
      redirect_uri=YOUR_REDIRECT_URI

3. User logs in on Zoho

The user logs in with their Zoho credentials and is prompted to approve the app's access. Once they approve, Zoho redirects them to the specified redirect URI along with an authorization code and location parameter. The location parameter indicates which data centre the user belongs to.

4. Frontend captures the authorization code

The redirect page, a minimal HTML file (redirect.html),  reads the URL parameters and stores them in localStorage, then closes the popup:
  1. function setAccessToken() {
  2.     var hashProps = getPropertiesFromURL();
  3.     if (hashProps) {
  4.         for (var key in hashProps) {
  5.             if (hashProps.hasOwnProperty(key)) {
  6.                 localStorage.setItem(key, hashProps[key]);
  7.             }
  8.         }
  9.     }
  10.     setTimeout(function () { window.close(); }, 0);
  11. }

5. Token exchange and SDK initialization

Once the popup window is closed, the main window retrieves the authorization code and location and sends them to the backend’s /initialize endpoint.
In script.js:
  1. var code = localStorage.getItem("code");
  2. var location = localStorage.getItem("location");
  3. initialize(code, location, data.redirect_url);
  4. .
  5. .
  6. async function initialize(code, location, redirect_url) {
  7.     const response = await fetch('http://127.0.0.1:8085/initialize?code=' + code + '&location=' + location + '&redirect_url=' + redirect_url);
  8. }
In server.py, the /initialize endpoint handles SDK initialization:
  1. elif parsed_url.path == '/initialize':
  2.     code = query_params.get('code', [''])[0]
  3.     location = query_params.get('location', [''])[0]
  4.     redirect_url = query_params.get('redirect_url', [''])[0]
  5.     LeadsRecords().init(self.client_id, code, location, redirect_url)
In record.py, the SDK is initialized and tokens are stored.
  1. token = OAuthToken(client_id=client_id,
  2.                    client_secret=client_secret,
  3.                    grant_token=code,
  4.                    redirect_url=redirect_url)
  5. Initializer.initialize(environment=environment,
  6.                        token=token,
  7.                        logger=logger,
  8.                        store=store)  # FilePersistence or custom store
This exchanges the authorization code for:
  • An access token (valid for one hour)
  • A refresh token (used to get new access tokens)
These tokens are saved in a local file (sdk_tokens.json). This is configured using Zoho’s FilePersistence class during SDK initialization 

How are tokens linked to users?

The SDK maps each access and refresh token pair to a unique user-organization combination. This means tokens generated for different organizations by the same user are stored separately. Likewise, if a user generates new tokens for the same organization, the SDK updates the existing tokens instead of creating duplicates. This ensures that API calls always use the correct tokens tied to the authenticated user and their organization. 

To enable this mapping, the SDK retrieves the user and organization information in the background. This requires the appropriate scopes to be included during authentication, ZohoCRM.users.READ and ZohoCRM.org.READ. Without these scopes, the SDK cannot identify the user-org combination correctly, which can lead to multiple token entries for the same user. That is why, in our sample project, we have included these scopes explicitly in the server.py file during the SDK initialization.

Once the SDK is initialized, the user is logged in, and the app can begin making CRM API calls on their behalf.


Step 3: Accessing Zoho CRM

Once the user is authenticated and the Zoho SDK is initialized on the backend, the frontend can call custom backend endpoints like /create or /get_records. These endpoints use the authenticated SDK instance to make CRM API calls on behalf of the user.
  • GET /get_records?module=Leads : View all students
  • POST /create?module=Leads : Add new student
  • PUT /update?module=Leads&id=... : Edit existing entry
  • DELETE /delete?module=Leads&id=... : Remove existing entry

Deploying the sample project

To run this application, you will need two components:
  1. A frontend server to serve your HTML files (index.html, script.js, redirect.html). This can be done using any static web server (e.g., Live Server in VS Code).
  2. A Python backend server that handles login, token storage, and CRM API communication. You can run it using:
    python server.py
In the given example, both servers communicate over localhost. You should set your redirect URI accordingly when registering your app in the Zoho console.

Conclusion

Login with Zoho is a secure, OAuth-based mechanism that allows users to authorize your application to access their Zoho CRM data. In this example, we built a real-world use case, a student portal for Zylker Academy, that authenticates users and interacts with CRM directly using the Zoho CRM Python SDK.
By walking through the entire flow, you now understand:
  • Why OAuth is essential for secure CRM access
  • How to register an application in Zoho
  • What the login and token exchange flow looks like
  • How to implement "Login with Zoho" in your applications

What is next?

In this project, we have used a simple file persistence method to store the token files. But in a real world scenario, this may not always meet your business requirements. In next week's Kaizen, we will implement custom token persistence instead of file persistence in the current project. We will explain how to implement this using SQLite, In-Memory and List DBs. With that, you will be equipped to implement a persistence method that fits your application architecture and deployment environment.

We hope that you found this useful. If you have any queries, let us know the comments below, or send an email to support@zohocrm.com. As always, we would love to hear from you!!

Stay tuned for next week's Kaizen : Implementing Custom Token Persistence 


Download Links:
Further Reading:

    • Sticky Posts

    • Kaizen #222 - Client Script Support for Notes Related List

      Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

    • Kaizen #217 - Actions APIs : Tasks

      Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

    • Kaizen #216 - Actions APIs : Email Notifications

      Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

    • Kaizen #152 - Client Script Support for the new Canvas Record Forms

      Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

    • Kaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script

      Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.

    • Recent Topics

    • Zoho Meeting app update.

      Hello, everyone! In the latest Android (v2.3.7) and iOS (v1.7.1) versions of the Zoho Meeting app, we have brought in support for the following features: Report Abuse option. WorkDrive integration. Report Abuse option You can now report to us any deceptive

    • Zoho Meeting Android app update - v2.4.0

      Hello everyone! We are excited to announce that we have brought in support for the following features in the latest version of the Zoho Meeting Android app(v2.4.0): 1. Start Personal Meeting Rooms 2. Revamp of the schedule meeting screen and meeting details

    • Introducing Zoho Desk integration and a few minor enhancements

      Zoho Desk Integration We've now introduced an integration between Zoho Meeting and Zoho Desk to efficiently manage meeting-related customer inquiries. With this integration, you can track, respond to, and resolve meeting-related tickets directly from

    • Zoho Meeting iOS app update: Hearing aid, bluetooth car audio and AirPlay audio support.

      Hello everyone! We are excited to announce the below new features in the latest iOS update(v1.7.4) of the Zoho Meeting app: 1. Hearing aid support: Hearing aid support has been integrated into the application. 2. Bluetooth car Audio, AirPlay audio support:

    • Zoho Meeting Android app update: Breakout rooms, noise cancellation

      Hello everyone! In the latest version(v2.6.1) of the Zoho Meeting app update, we have brought in support for the following features: 1. Join Breakout rooms. 2. Noise cancellation Join Breakout rooms. Breakout Rooms are virtual rooms created within a meeting

    • iOS 12 update: Introducing autofill passwords and Siri Shortcuts in Zoho Vault

      With this iOS 12 release, Zoho Vault users can now autofill usernames and passwords on Safari and other third-party apps. Users can enjoy a seamless login experience to their everyday apps without compromising security and also access passwords stored in Zoho vault with Siri Shortcuts by adding personalized phrases. How to enable autofill password on your iOS device? First, you need to update your device to iOS 12.  Apple recommends you to take a backup before you update your device to the latest

    • Zoho Vault: A look at what's new for iOS, iPadOS, and macOS

      Hi everyone, At Zoho Vault, we constantly aim to improve your security experience. Based on both internal and external feedback, we have recently rolled out updates across our iOS, iPadOS, and support for macOS platforms. Introducing the desktop app for

    • Biometric Access Support on Zoho Vault Desktop App

      Is there any plans to add biometric authentication (fingerprint, face recognition) for Vault desktop apps (Windows/macOS) to enhance security and ease of access. I would love to hear other members view on this

    • Free webinar: Learn the benefits of migrating to Zoho Vault's new interface

      With remote work becoming more and more common across the globe, productivity and time management are now pivotal concerns for every organization. With the number of business applications employed by companies constantly increasing, a password manager like Zoho Vault saves a lot of productive hours for your team. Vault's new interface has been carefully designed to address these pressing needs, helping users increase their productivity while improving their overall online experience.  This July,

    • Free Webinar: An exclusive live Q&A session with the Zoho Vault team

      As 2020 draws to an end, we're closing out a year that has seen drastic changes all around the world. Many businesses have adopted cloud solutions and a remote work culture for the first time, and this has given rise to newer cyber risks and threats that

    • Why passwordless authentication should be your top security project for 2021

      Hello users! We know that nobody likes to remember passwords, yet they form an indispensable part of our lives. Many of us working with any kind of technology today manage numerous passwords for personal and business accounts. With the widespread adoption

    • Free Webinar: See why Zoho Vault is the best alternative to LastPass

      When LastPass was acquired by LogMeIn in Oct 2015, we expressed our genuine concern about how this would change the LastPass business model and how customer trust would transfer from one company to another. As we suspected, LastPass doubled their pricing

    • Managing cyber threats when working remotely | A Customer Survey Report

      The nearly universal adoption of remote work has changed the way businesses function. Globally, enterprises continue to work to find new ways to make life easier for employees working remotely. However, a commonly cited concern has been the lack of cybersecurity

    • World Password Day: 5 interesting facts about passwords

      It's World Password Day: that time of the year when we talk about password hygiene and the importance of safe password management. World Password Day is observed on the first Thursday of every May, and this year, we'd like to talk about some of the most

    • Free Webinar: Go passwordless in 2022 with Zoho Vault

      Passwords have long been the preferred authentication method, largely due to their universal appeal. While they're easy for people to use and implement, they're also convenient for hackers to exploit. Reports from 2021 state that weak and stolen passwords

    • Myki has announced EOL for its services | Learn why Zoho Vault password manager is the best alternative

      Hello Myki users,   Myki has announced end-of-life for its Teams, MSP, and GUARD services, after being acquired by JumpCloud. In their recent announcement, Myki stated that they will be removing their apps and extensions from the respective stores, turning

    • Join our exclusive meetup with Zoho's Real Estate community

      Hey there, The Zoho Vault team is conducting a meetup for all real-estate users from Zoho. During this session, we will be discussing the need for secure password management and how Vault can help you and your clients safely protect passwords and other

    • Free webinar: A quick walkthrough of Zoho Vault and major updates in 2023

      Managing passwords is crucial for all businesses. You can securely store, share, and manage passwords effectively from anywhere with Zoho Vault. We have introduced several new features in 2023 to offer the best online experience for our users. Join our

    • Free webinar: Why a password manager is a “must-have” for everyone in 2024

      In the past decade, we've witnessed numerous cybersecurity breaches globally, with a significant portion resulting from the "it won't happen to me" mindset. Shockingly, in 2023, 86% of breaches involved weak and stolen passwords. Password hygiene is crucial

    • Zoho Vault - Webinars 2023 - Video Recordings and Slide Decks

      Hello, We wanted to offer a consolidated list of Zoho Vault webinar resources from 2023. Therefore, we're putting together a list that includes links to our webinar recordings and slide decks for easy access. Webinar Video recording Slide deck Getting

    • Free webinar: ‌Focal point: Building a financial ecosystem with Zoho Vault and Zoho Workplace

      Hi everyone! Cyber threats against the financial sector are escalating. In the last two decades, nearly one-fifth of reported incidents targeted financial institutions, causing $12 billion in direct losses. Cybercriminals are becoming more sophisticated,

    • New features in Zoho Vault

      We’re thrilled to introduce a wave of powerful updates in Zoho Vault, designed to enhance security, streamline workflows, and improve your overall experience. Let’s dive into what’s new! Folder creation restrictions Limit who can create folders in your

    • Join our World Password and Passkey Day expert Q&A 2025

      Hey everyone! World Password and Passkey Day is almost here, and there's no better time to talk about something we all rely on daily—secure authentication. Did you know that a staggering 60% of hacking-related breaches are tied to weak or stolen passwords?

    • Dashlane discontinued its free plan: Here's why Zoho Vault's free plan is worth the switch

      Hey everyone, Dashlane password manager has officially announced that its free plan will be discontinued starting September 16, 2025. This change means that current free users will need to either upgrade to a paid subscription or export their data and

    • Introducing SecureForms in Zoho Vault

      Hey everyone, Let’s face it—asking someone to send over a password or other sensitive data is rarely straightforward. You wait. You nudge. You follow up once, twice—maybe more. And when the information finally arrives, it shows up in the worst possible

    • Clickjacking: Zoho Vault's Response

      Issue: Password manager browser extensions are found to be vulnerable to clickjacking security vulnerabilities that could allow attackers to steal account credentials, TFA codes, and card details under certain conditions. Reported by: Marek Toth, Independent

    • Free webinar: Security that works: Building resilience for the AI-powered workforce

      Hello there, Did you know that more than 51% of organizations worldwide have experienced one or more security breaches, each costing over $1 million in losses or incident response? In today’s threat landscape, simply playing defense is no longer enough.

    • Free webinar—Redefining workforce security with Zoho Vault: Passwords, passkeys, and multi-factor authentication

      Hi everyone! Did you know that in Q2 alone, 94 million data records were leaked globally? Behind every breach is a combination of poor password habits, phishing attacks, privilege misuse, and simple human error. The fallout—including reputational damage,

    • Fill Colors

      Hello, Just curious, is it possible to manage the Used and standard colors in the fill drop down menu ? I would like to change/edit them is possible to colors I frequently use. Thanks for you reply, Bruce

    • Client scripts for Zoho Books ?

      Good day everyone, I am looking for a way to be able to interact with the Quotes and Invoices as they are being created. Think of it like Zoho client script in Zoho CRM. But for the life of me I dont see a way to do this. The issue with having function

    • Fillable template with dynamic tables?

      Is there a way to build a fillable template so that users can add rows to a table? To describe what I'm trying to accomplish the table has 3 sections; a header row, some number of rows with custom information, and a summary row with totals. I can't figure

    • Invoicing multiple expense items as a single line item

            My client would like me to invoice them for multiple expense items on a single line item on an invoice.  Can this be done?  I know I can import billable expenses to an invoice, but I don't know how to show them as a single line item or have them

    • Tables improvement ideas / features

      Heya, I've been using Zoho Tables for a few months now and wanted to post some features that I think will be greatly beneficial for the tool: 1. Ability to delete a record in automation or move a record in automation. - Usecase: I move a record from one

    • Announcing offline payment modes for event tickets

      Hello everyone,   Collecting ticket payments from prospective attendees can be a tricky part of event planning. While Zoho Backstage has always allowed you to collect payments online as people buy tickets from your event microsite, we have now enabled

    • Gmail is ramping up its email sender policy from November 2025

      Hello marketers, As you may be aware, Gmail introduced a guideline for bulk senders starting February 2024. If not, here's a quick refresher straight from Google: After this policy was announced first in 2023 and soft-implemented in February 2024, we

    • Is there a list of Zoho Icons?

      Is there a list of Zoho Icons you can reference: i.e. business-gold is <image marginRight='7px' color='#2A70E7' bgColor='#FFFFFF' width='52px' height='52px' type='icon' value='business-gold' size='24px' cornerRadius='26px' iconType='solid' /> Thanks!

    • Item images

      Can we get an "On hover" expanded image for items please ?

    • Ability to Create and Manage YouTube Video Chapters in Zoho Social

      Hi Zoho Social Team, How are you? We would like to request an enhancement to Zoho Social that would allow users to create and manage YouTube video chapters directly within the platform. Currently, Zoho Social does not support manually adding chapters

    • What happens to my current site SEO if i opt for zoho creator?

      I have an existing website and I need to use Zoho creators for the rapid creation of my webpage creation. Currently, my IT team is creating the web pages, but I am concerned about the SEO of my current website if I shift to zoho will i loose it all?

    • Preview Emails with Merge Fields before sending

      Hello, Are there plans to preview an email with merge fields before sending out? Currently, all you see in the preview are the merge field values, but before I send out the email I want to make sure the merge is working. Also, the saved emails only show

    • Next Page