Kaizen #3 - Scopes in OAuth2.0 Authorization #API
Hello Everyone!
Welcome to another week of Kaizen. We hope you find this series of posts useful. Please share your feedback in the comments section and keep the discussion going.
In the last kaizen post, we discussed the OAuth2.0 protocol and Self Client. There are two types of clients in OAuth 2.0—self client and web-based applications.
What you will learn from this post?
In this post, we are going to explore different facets of "Scopes in OAuth2.0 Authorization" in detail. Towards the end of this post, we will see various errors related to scopes, and how you can handle them.
Role of scopes in OAuth2.0
To use the Zoho CRM APIs, you must authenticate the client(either self client or web-based application) to make API calls on your behalf with an access token.
The access token, in return, must be obtained from a grant token (authorization code).
Zoho CRM APIs grant access to the CRM data, only if you provide a legitimate access token.
Based on the client-type, there are two different ways to generate grant token:
a. For web-based applications
Web-based applications are chosen when it requires user intervention while authorizing your application. Now, let us see how the OAuth2.0 protocol is implemented for web-based applications.
Step 1: The web application redirects the user to the OAuth server.
Step 2: The user sees the authorization prompt and approves the app's request as shown in the below image.
Step 3: The user is redirected back to the application with an authorization code in a query string.
Step 4: The application exchanges the authorization code for an access token.
As you can see, this involves user intervention while authorizing your application.
In the above explanation, in Step 2, the user will authorize the set of permissions for which the token has to be generated.
b. For self client
In our last kaizen post, in Step 5a, you must enter the set of permissions for which the token has to be generated for a self client.
These sets of permissions you define, before you generate a token are called scopes.
Scopes play a major role in OAuth2.0 Authentication. It is required for both self-client and web-based applications.
A. What is a scope in Zoho CRM?
The word scope translates to range or extent. In OAuth2.0, scopes define the liberty of a self client/ web application on a particular resource(data in Zoho CRM). The scope controls three aspects:
- The resource to which the client application gains access. Example: Users, Modules, Files, and so on.
- The client application.
- The different types of operations that the client application can perform on that particular resource. Example: ALL, READ, WRITE, CREATE, UPDATE, DELETE.
B. How do scopes work?
The access and refresh tokens are generated based on the scopes you provide.
Based on the token, the system decides whether you have access to perform a certain operation on a particular resource. Thus, there is no room left for data theft, loss, or corruption. For example, with a token that is generated just to view records, you cannot perform the update record operation.
C. Scope Format
The format to define a scope is:
scope=service_name.scope_name.operation_type
The scope consists of three components:
- service_name - Service name will always be ZohoCRM.
- scope_name - In scope name, mention the specific resource(data in Zoho CRM) for which the permissions are being defined. It can be settings, modules, users, org, bulk, notification, or coql.
- operation_type - In operation type, mention what types of operations can be performed on that resource. The following table defines the different operation types in scope:
Operation Type | HTTP Method | Description |
READ | GET | The user can just read the data. |
CREATE | POST | The user can create records. |
WRITE | POST, PUT, DELETE | The user can create, update, and delete the records. |
UPDATE | PUT | The user can update the existing records. |
DELETE | DELETE | The user can delete the records |
ALL | GET, POST, PUT, DELETE | The user can read, create, update, and delete the records. |
CUSTOM | It depends on how it is defined in the API. | User-defined, for instance, permission to send emails to leads. |
Note:
- If you give operation type as WRITE in your scope, it is implicitly understood that you are granting permission to CREATE, UPDATE, and DELETE records.
- Similarly, if you give operation type as ALL in your scope, it is implicitly understood that you are granting permission to READ, CREATE, UPDATE, and DELETE records.
D. Types of scopes
Based on the scope and methods, scopes are broadly differentiated into two types:
- Sub-scopes
- Group Scopes
a. Sub-scopes
Here the permission is defined for a specific resource. For instance, if you want to define permissions for leads and contacts modules, the scopes will be:
ZohoCRM.modules.leads.ALL
ZohoCRM.modules.contacts.ALL
Format
scope=service_name.scope_name.sub_scope_name.operation_type
The following table gives you the data about the scopes and different sub scopes. Along with each sub-scope, you can view which resource it is associated with:
Scopes | Sub scopes |
settings- This scope usually provides access to metadata and the information on the set-up page of Zoho CRM. | territories - Data about Territory Management. custom_views - Data about custom_views created by users in all the modules. related_lists - Data about related_lists. modules - Metadata of all the modules. variables - Data about CRM Variables. tags - Data about tags. tab_groups - Data about the tab groups in Zoho CRM. fields - Data about fields in all the modules. layouts - Data about layouts in all the modules. macros - Data about macros operations. custom_links - Data about the custom links. custom_buttons - Data about the custom buttons. roles - Data about roles in your organization. profiles - Data about profiles in your organization. organization - Data about your organization. |
modules- This scope gives access to all the modules in Zoho CRM. | approvals - Data in the 'My Jobs' tab. leads accounts contacts deals campaigns tasks - Part of the 'Activities' module. cases events - Part of the 'Activities' module. calls - Part of the 'Activities' module. solutions products vendors pricebooks quotes salesorders purchaseorders invoices custom - Scopes cannot be configured for individual custom modules. Use this method for all custom modules. dashboard - Data on the dashboard page. notes - Data about notes in each record. activities - Data about events, calls, and tasks. |
Apart from the above two, other scopes are–
- users - Data about individual users in Zoho CRM. For more information, refer to Users API.
- org - Data about your organization. For more information, refer to Organization API.
- bulk - Permissions to perform bulk operations. For more information, refer to Bulk API.
- notification - Permissions to send/receive instant notifications of actions performed on a module. For more information, refer to Notification API.
- coql - Permissions to write your queries. For more information, refer to Query API.
b. Group Scopes
Format
scope=service_name.scope_name.operation_type
Imagine that you need to set permissions for all the modules. With sub-scopes, you must enter the following list of scopes—
ZohoCRM.modules.leads.ALL,ZohoCRM.modules.accounts.ALL,ZohoCRM.modules.contacts.ALL,ZohoCRM.modules.deals.ALL,ZohoCRM.modules.campaigns.ALL,ZohoCRM.modules.tasks.ALL,ZohoCRM.modules.cases.ALL,ZohoCRM.modules.events.ALL,ZohoCRM.modules.calls.ALL,ZohoCRM.modules.solutions,ZohoCRM.modules.products,ZohoCRM.modules.vendors,ZohoCRM.modules.pricebooks,ZohoCRM.modules.quotes,ZohoCRM.modules.salesorders,ZohoCRM.modules.purchaseorders,ZohoCRM.modules.invoices,ZohoCRM.modules.custom.
This is both cumbersome and exposing all these details in UI is not advisable. Thus, we came up with group scopes. With group scopes, you can define a set of permissions for a collective resource set. So, if you need to set permissions for modules, you can define the scope as:
ZohoCRM.modules.ALL—This gives the user access to perform all operations in all the modules in Zoho CRM.
E. Possible Errors
Error Code | Reason | Strategy to handle |
INVALID_SCOPE | The scope value is invalid. | Check the service name, scope name, and the sub-scope. |
INVALID_OPERATION_TYPE | The operation type is invalid. | Ensure you have defined the operation type correctly. It must be either—READ, CREATE, WRITE, UPDATE, DELETE, ALL, or CUSTOM. |
OAUTH_SCOPE_MISMATCH | The operation you performed does not have the required scope. | Check if the operation you are trying to perform is allowed in the scopes defined or not. |
Note:
The INVALID_SCOPE and INVALID_OPERATION_SCOPE errors might be thrown while generating a grant token. The OAUTH_SCOPE_MISMATCH error might be thrown while you make an API call.
F. How to revoke access?
As mentioned earlier in this post, tokens are generated based on the scopes.
There are two use-cases here.
a. If you are a user who wants to revoke the access given to any web-application, then it has to be done via accounts web UI.
To revoke the access:
Step 1: Goto https://www.accounts.zoho.com.
Step 2: Choose 'Active Authtokens'.
Step 3: Click on 'Connected Apps'. Here you will be able to see all the active applications, click on the delete button to revoke access.
b. If you are a client/developer, to revoke permissions for your self-client, you must revoke the access and refresh tokens.
You cannot revoke the access token as it expires after an hour of its generation.
To revoke the refresh token, make a POST request with the following URL:
"{{Accounts_URL}}/oauth/v2/token/revoke?token={refresh_token}"
Note that you must use domain-specific Zoho Accounts URL to revoke your refresh token.
We will meet you next week with another useful topic.
Cheers!
Previous 'Kaizen' - OAuth2.0 and Self Client #API
Next 'Kaizen' - Troubleshooting OAuth2.0
Access your files securely from anywhere
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Sneha Sridharan
Sticky Posts
Kaizen #217 - Actions APIs : Tasks
Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.Kaizen #216 - Actions APIs : Email Notifications
Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes areKaizen #152 - Client Script Support for the new Canvas Record Forms
Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achievedKaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script
Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI
Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over the
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Zoho Tracking Image location
So we've been having an issue with tracking email opens. Specifically in Gmail. Our emails are not that long either, maybe 4 sections of image/250 characters of text/button per section. But all my test accounts I used via Gmail we're showing opens. But then come to find out the tracking image is at the very bottom of the email. So If the message is clipped (It always just clips our social icons on the bottom) and the user doesn't click the show more button it never tracks the open. Looking at otherAI Interview Insights: Turn Recorded Interviews into Quick Transcripts & Summaries
Evaluating interviews shouldn’t require replaying long recordings or taking manual notes. With AI Interview Insights, you can now review complete transcripts and AI-generated summaries of your One-way (Recorded) interviews right inside Zoho Recruit. ThisHow do I associate pricebooks to a customer?
I setup a few pricebooks, that worked fine. But now the only thing I can do with it, when I enter a quote or sales order, I can select which pricebook to use, but I have to do this product by product every time I add one. Is there a way to connect a pricebookDesk DMARC forwarding failure for some senders
I am not receiving important emails into Desk, because of DMARC errors. Here's what's happening: 1. email is sent from customer e.g. john@doe.com, to my email address, e.g info@acme.com 2. email is delivered successfully to info@acme.com (a shared inboxEmployee Appraisal Applicability - Why is Date of Joining Hard-Coded?
In the new (to me, at least) Performance Appraisal Cycle wizard, it's possible to set criteria to determine for whom the appraisal process should apply. This makes sense on its face. However, one MUST use the Date of Joining criterion as a filter. WhySpotlight series #6: The Show app for Android TV has a new look!
Hello everyone! We are delighted to introduce our revamped and redesigned Show app for Android TV. Smart TVs are exploding in popularity. Android TV alone has over 110 million active monthly devices. Zoho Show, as part of a constant effort to improveAsk the Experts 26: Brighten every customer interaction with Zoho Desk all year long
Hello everyone, Greetings and welcome to Ask the Experts 26. As we wrap up 2025, we are excited to invite you to the 26th episode of our Ask the Expert series. 🎄The Merry Metrics Edition = Best of Zoho Desk [Best Practices + Holiday Automation + Year-EndPricing calculator
Alright, so I'm trying to create a pricing calculator/pricing report generator to use in a cabinet shop. I did all the logic and such, and the calculator works. I have a few other things that I would need it to be able to do though, I'll do my best toBug Details
In the Bug detail the milestoneid is missingGroup by Owner/ Owner Kanban /Group by Custom Field
Hi, We are missing the option of viewing Tasks grouped by their owner, as it is an essential function for us to manage our employees' working tasks. We find it hard to inspect what are the tasks that our employees are working on. We are seeking an optionStop completed task lists from disappearing?
Is there any way to stop projects from making tasks lists disappear when all the tasks in the list are completed? That's one of those little things where we're constantly fighting the product. For instance we have some projects which are ongoing - no start and end date. We use Kanban view to show the various task lists. We don't want the kanban list to disappear every time the items on it happen to be closed out. ThanksSMS to customers from within Bigin
Hi All, Is there anyone else crying out for Bigin SMS capability to send an SMS to customers directly from the Bigin interface? We have inbuilt telephony already with call recordings which works well. What's lacking is the ability to send and receiveExciting Updates to the Kiosk Studio Feature in Zoho CRM!
Hello Everyone, We are here again with a series of new enhancements to Kiosk Studio, designed to elevate your experience and bring even greater efficiency to your business processes. These updates build upon our ongoing commitment to making Kiosk a powerfulPassing a form object to a function
Suppose I have a sort_order field in multiple tables and I want to increment it by +1 onCreate of a new record. Is there a way to pass the form object as an argument into the function to keep things DRY? The following function from Zia works, but I'dChange of Blog Author
Hi, I am creating the blog post on behalf of my colleague. When I publish the post, it is showing my name as author of the post which is not intended and needs to be changed to my colleague's name. How can I change the name of the author in the blogs?? Thanks, RamananAllow customers to choose meeting venue and meeting duration on booking page
My business primarily involves one-to-one meetings with my clients. Given the hybrid-work world we now find ourselves in, these meetings can take several forms (which I think of as the meeting "venue"): In-person Zoom Phone call I currently handle theseBooking outside of scheduled availability
Is there a way for staff (such as the secretary) to book appointments outside of the scheduled availability? Right now to do this special hours must be set each time. There should be a quicker way. Am I missing something?Operation Questions.
Hello, I hope you are well. To explain a little, we are a company that sells services and products with a technical team responsible for installation and maintenance. Zoho FSM can be useful for the technical team, namely for the technical coordinatorDirect Access and Better Search for Zoho Quartz Recordings
Hi Zoho Team, We would like to request a few enhancements to improve how Zoho Quartz recordings are accessed and managed after being submitted to Zoho Support. Current Limitation: After submitting a Quartz recording, the related Zoho Support ticket displaysUpdate date & time when a cell is edited
Hi All, I am desiring to have a cell update with the current date and time when another cell is edited. Any ideas? Thank youAdd "Groups" to "Share With" on Reports & All Entries
Hi, On Forms we can share Publicly, with Specific Users And/Or Specific Groups or All Users. With Reports and All Entries we lack the "Groups" option, please add this as with many users this saves a lot of work. Thanks DanAdd Pause / Resume Option to Zoho Quartz Recordings
Hi Zoho Team, We would like to request an enhancement to Zoho Quartz recordings: the ability to pause and resume an ongoing recording. Current Limitation: At the moment, when recording an issue with Zoho Quartz, the recording continues even when we areCustom Fields Not Showing Up in Invoice PDF Template Document Information
I have added 2 custom fields under Sales > Invoices > Manage Custom Fields. They are set to show in all PDFs. However when I am editing my Invoice PDF template, i do not see the custom fields under Document Information.Tracking Non-Inventory Items
We have several business locations and currently use zoho inventory to track retail items (sales and purchase orders). We were hoping to use zoho inventory to track our non-inventory items as well (toilet paper, paper towels, etc). I understand that weCan I use a Standalone CRM Function as the Callback URL For Async Export Data API?
I am creating an export job using this API https://www.zoho.com/analytics/api/v2/bulk-api/export-data-async/create-export/view-id.html There is a "callbackUrl" key in the CONFIG object. I tried copying the URL for a standalone function in CRM which canZOHO Books
Hi there, Why after I upgrade my Zoho invoice > Books then i wanted to add plugin which i cannot do. Please advise.How is Your eCommerce Experience w/Zoho Inventory?
First off, I'm SUPER grateful for the advent of Zoho Inventory and now the Zoho Commerce Suite. Overall, Inventory is a great product, especially for customers without an eCommerce presence. For eCommerce companies (especially those shipping more than ~10 packages/day), however, there are certain drawbacks that keep my clients from moving over to Zoho Inventory: Cons: 1. Invoice + Package Creation from Shopify/Other eCommerce Integrations: Zoho Inventory makes the somewhat perplexing decision toCliq iOS can't see shared screen
Hello, I had this morning a video call with a colleague. She is using Cliq Desktop MacOS and wanted to share her screen with me. I'm on iPad. I noticed, while she shared her screen, I could only see her video, but not the shared screen... Does Cliq iOS is able to display shared screen, or is it somewhere else to be found ? RegardsError AS101 when adding new email alias
Hi, I am trying to add apple@(mydomain).com The error AS101 is shown while I try to add the alias.Simplify Mass Replies with Predefined Templates and Snippets
Hello everyone, We are happy to introduce a new enhancement to Mass Reply that helps agents respond to customers quickly and consistently. With the addition of Email Templates and Snippets in the reply window, agents can use predefined messages whileAdd "Groups" above "Users" in the Zoho Forms Left Menu
Hi, We have Groups but you have to go to a Form and Share or use the Directory App to manage them, please add "Groups" above "Users" in the Zoho Forms Left Menu so you can manage them in 1 place within Zoho Forms too. Thanks DanMapping custom fields from one module to another
I have a custom field, "Subscription Period" that appears as a required field in every Opportunity (Potential). I want that field to appear on any Quotes derived from that Opportunity (and have created a custom field of the same name in Quotes for thatInquiry on Help Centre Tab Customisation
Hi Zoho team, I’m wondering if it’s possible to further customise the Help Center tabs, specifically the descriptions under Knowledge Base, Community, and Tickets. While the current setup allows customising tab names, being able to tailor the descriptionsPassing the CRM
Hi, I am hoping someone can help. I have a zoho form that has a CRM lookup field. I was hoping to send this to my publicly to clients via a text message and the form then attaches the signed form back to the custom module. This work absolutely fine whenThe Social Wall: November 2025
We’re nearing the end of the year, and the holiday season is officially kicking in! It’s that time when sales peak and your social media game needs to be stronger than ever. We’re back with exciting new updates across AI, analytics, and the mobile appItem name special charaters <>
Im trying to input speical characters such as < and > into item name and item description but comes up with following error: Invalid value passed for Item Name and Invalid value passed for Item Description How do i allow speical characters?How to update Multi File upload field
Assume that i have a multi file upload field,how can i update the same field again?Customer Address Not on Standard Invoice when Address is on Contact Record
Hi, I entered the customer billing and shipping address in Zoho CRM. I created an invoice in Zoho Books with the same customer contact. The contact is correctly in Zoho Books with the billing and shipping address. The invoice for the customer does notAuto-Invite Users to Portals in Zoho CRM based on Conditions
Hello Everyone, You can now automate portal invitations in Zoho CRM with the new Auto-Invite users feature in Portal management. No more manually enabling portal access one by one. With this enhancement, you can automatically send invites for users toApply partial payments to invoices from the Banking Module
We need this! Why is this not possible?Next Page