Kaizen #3 - Scopes in OAuth2.0 Authorization #API
Hello Everyone!
Welcome to another week of Kaizen. We hope you find this series of posts useful. Please share your feedback in the comments section and keep the discussion going.
In the last kaizen post, we discussed the OAuth2.0 protocol and Self Client. There are two types of clients in OAuth 2.0—self client and web-based applications.
What you will learn from this post?
In this post, we are going to explore different facets of "Scopes in OAuth2.0 Authorization" in detail. Towards the end of this post, we will see various errors related to scopes, and how you can handle them.
Role of scopes in OAuth2.0
To use the Zoho CRM APIs, you must authenticate the client(either self client or web-based application) to make API calls on your behalf with an access token.
The access token, in return, must be obtained from a grant token (authorization code).
Zoho CRM APIs grant access to the CRM data, only if you provide a legitimate access token.
Based on the client-type, there are two different ways to generate grant token:
a. For web-based applications
Web-based applications are chosen when it requires user intervention while authorizing your application. Now, let us see how the OAuth2.0 protocol is implemented for web-based applications.
Step 1: The web application redirects the user to the OAuth server.
Step 2: The user sees the authorization prompt and approves the app's request as shown in the below image.
Step 3: The user is redirected back to the application with an authorization code in a query string.
Step 4: The application exchanges the authorization code for an access token.
As you can see, this involves user intervention while authorizing your application.
In the above explanation, in Step 2, the user will authorize the set of permissions for which the token has to be generated.
b. For self client
In our last kaizen post, in Step 5a, you must enter the set of permissions for which the token has to be generated for a self client.
These sets of permissions you define, before you generate a token are called scopes.
Scopes play a major role in OAuth2.0 Authentication. It is required for both self-client and web-based applications.
A. What is a scope in Zoho CRM?
The word scope translates to range or extent. In OAuth2.0, scopes define the liberty of a self client/ web application on a particular resource(data in Zoho CRM). The scope controls three aspects:
- The resource to which the client application gains access. Example: Users, Modules, Files, and so on.
- The client application.
- The different types of operations that the client application can perform on that particular resource. Example: ALL, READ, WRITE, CREATE, UPDATE, DELETE.
B. How do scopes work?
The access and refresh tokens are generated based on the scopes you provide.
Based on the token, the system decides whether you have access to perform a certain operation on a particular resource. Thus, there is no room left for data theft, loss, or corruption. For example, with a token that is generated just to view records, you cannot perform the update record operation.
C. Scope Format
The format to define a scope is:
scope=service_name.scope_name.operation_type
The scope consists of three components:
- service_name - Service name will always be ZohoCRM.
- scope_name - In scope name, mention the specific resource(data in Zoho CRM) for which the permissions are being defined. It can be settings, modules, users, org, bulk, notification, or coql.
- operation_type - In operation type, mention what types of operations can be performed on that resource. The following table defines the different operation types in scope:
Operation Type | HTTP Method | Description |
READ | GET | The user can just read the data. |
CREATE | POST | The user can create records. |
WRITE | POST, PUT, DELETE | The user can create, update, and delete the records. |
UPDATE | PUT | The user can update the existing records. |
DELETE | DELETE | The user can delete the records |
ALL | GET, POST, PUT, DELETE | The user can read, create, update, and delete the records. |
CUSTOM | It depends on how it is defined in the API. | User-defined, for instance, permission to send emails to leads. |
Note:
- If you give operation type as WRITE in your scope, it is implicitly understood that you are granting permission to CREATE, UPDATE, and DELETE records.
- Similarly, if you give operation type as ALL in your scope, it is implicitly understood that you are granting permission to READ, CREATE, UPDATE, and DELETE records.
D. Types of scopes
Based on the scope and methods, scopes are broadly differentiated into two types:
- Sub-scopes
- Group Scopes
a. Sub-scopes
Here the permission is defined for a specific resource. For instance, if you want to define permissions for leads and contacts modules, the scopes will be:
ZohoCRM.modules.leads.ALL
ZohoCRM.modules.contacts.ALL
Format
scope=service_name.scope_name.sub_scope_name.operation_type
The following table gives you the data about the scopes and different sub scopes. Along with each sub-scope, you can view which resource it is associated with:
Scopes | Sub scopes |
settings- This scope usually provides access to metadata and the information on the set-up page of Zoho CRM. | territories - Data about Territory Management. custom_views - Data about custom_views created by users in all the modules. related_lists - Data about related_lists. modules - Metadata of all the modules. variables - Data about CRM Variables. tags - Data about tags. tab_groups - Data about the tab groups in Zoho CRM. fields - Data about fields in all the modules. layouts - Data about layouts in all the modules. macros - Data about macros operations. custom_links - Data about the custom links. custom_buttons - Data about the custom buttons. roles - Data about roles in your organization. profiles - Data about profiles in your organization. organization - Data about your organization. |
modules- This scope gives access to all the modules in Zoho CRM. | approvals - Data in the 'My Jobs' tab. leads accounts contacts deals campaigns tasks - Part of the 'Activities' module. cases events - Part of the 'Activities' module. calls - Part of the 'Activities' module. solutions products vendors pricebooks quotes salesorders purchaseorders invoices custom - Scopes cannot be configured for individual custom modules. Use this method for all custom modules. dashboard - Data on the dashboard page. notes - Data about notes in each record. activities - Data about events, calls, and tasks. |
Apart from the above two, other scopes are–
- users - Data about individual users in Zoho CRM. For more information, refer to Users API.
- org - Data about your organization. For more information, refer to Organization API.
- bulk - Permissions to perform bulk operations. For more information, refer to Bulk API.
- notification - Permissions to send/receive instant notifications of actions performed on a module. For more information, refer to Notification API.
- coql - Permissions to write your queries. For more information, refer to Query API.
b. Group Scopes
Format
scope=service_name.scope_name.operation_type
Imagine that you need to set permissions for all the modules. With sub-scopes, you must enter the following list of scopes—
ZohoCRM.modules.leads.ALL,ZohoCRM.modules.accounts.ALL,ZohoCRM.modules.contacts.ALL,ZohoCRM.modules.deals.ALL,ZohoCRM.modules.campaigns.ALL,ZohoCRM.modules.tasks.ALL,ZohoCRM.modules.cases.ALL,ZohoCRM.modules.events.ALL,ZohoCRM.modules.calls.ALL,ZohoCRM.modules.solutions,ZohoCRM.modules.products,ZohoCRM.modules.vendors,ZohoCRM.modules.pricebooks,ZohoCRM.modules.quotes,ZohoCRM.modules.salesorders,ZohoCRM.modules.purchaseorders,ZohoCRM.modules.invoices,ZohoCRM.modules.custom.
This is both cumbersome and exposing all these details in UI is not advisable. Thus, we came up with group scopes. With group scopes, you can define a set of permissions for a collective resource set. So, if you need to set permissions for modules, you can define the scope as:
ZohoCRM.modules.ALL—This gives the user access to perform all operations in all the modules in Zoho CRM.
E. Possible Errors
Error Code | Reason | Strategy to handle |
INVALID_SCOPE | The scope value is invalid. | Check the service name, scope name, and the sub-scope. |
INVALID_OPERATION_TYPE | The operation type is invalid. | Ensure you have defined the operation type correctly. It must be either—READ, CREATE, WRITE, UPDATE, DELETE, ALL, or CUSTOM. |
OAUTH_SCOPE_MISMATCH | The operation you performed does not have the required scope. | Check if the operation you are trying to perform is allowed in the scopes defined or not. |
Note:
The INVALID_SCOPE and INVALID_OPERATION_SCOPE errors might be thrown while generating a grant token. The OAUTH_SCOPE_MISMATCH error might be thrown while you make an API call.
F. How to revoke access?
As mentioned earlier in this post, tokens are generated based on the scopes.
There are two use-cases here.
a. If you are a user who wants to revoke the access given to any web-application, then it has to be done via accounts web UI.
To revoke the access:
Step 1: Goto https://www.accounts.zoho.com.
Step 2: Choose 'Active Authtokens'.
Step 3: Click on 'Connected Apps'. Here you will be able to see all the active applications, click on the delete button to revoke access.
b. If you are a client/developer, to revoke permissions for your self-client, you must revoke the access and refresh tokens.
You cannot revoke the access token as it expires after an hour of its generation.
To revoke the refresh token, make a POST request with the following URL:
"{{Accounts_URL}}/oauth/v2/token/revoke?token={refresh_token}"
Note that you must use domain-specific Zoho Accounts URL to revoke your refresh token.
We will meet you next week with another useful topic.
Cheers!
Previous 'Kaizen' - OAuth2.0 and Self Client #API
Next 'Kaizen' - Troubleshooting OAuth2.0
Access your files securely from anywhere
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Sneha Sridharan
Sticky Posts
Kaizen #197: Frequently Asked Questions on GraphQL APIs
🎊 Nearing 200th Kaizen Post – We want to hear from you! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Celebrating 200 posts of Kaizen! Share your ideas for the milestone post
Hello Developers, We launched the Kaizen series in 2019 to share helpful content to support your Zoho CRM development journey. Staying true to its spirit—Kaizen Series: Continuous Improvement for Developer Experience—we've shared everything from FAQsKaizen #193: Creating different fields in Zoho CRM through API
🎊 Nearing 200th Kaizen Post – We want to hear from you! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Client Script | Update - Introducing Commands in Client Script!
Have you ever wished you could trigger Client Script from contexts other than just the supported pages and events? Have you ever wanted to leverage the advantage of Client Script at your finger tip? Discover the power of Client Script - Commands! Commands
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Zoho Sign: need to leave document pending for up to a year, or maybe there's a better way?
I have zoho one, maybe there's a better way to do this with another service than sending a zoho sign template from zoho crm. At the end of the day this requirement is due to regulations, no matter how dumb it may seem. I'm just looking for a way of gettingCannot schedule report delivery
The only 'send option' available when exporting reports is 'immediately' The option to schedule the report is missing.how to use validation rules in subform
Is it possible to use validation rules for subforms? I tried the following code: entityMap = crmAPIRequest.toMap().get("record"); sum = 0; direct_billing = entityMap.get("direct_billing_details"); response = Map(); for each i in direct_billing { if(i.get("type")Separate Items & Services
Hi, please separate items and services into different categories. Thank youWhat's New in Zoho Inventory | Q2 2025
Hello Customers, The second quarter have been exciting months for Zoho Inventory! We’ve introduced impactful new features and enhancements to help you manage inventory operations with even greater precision and control. While we have many more excitingMastering Zia Match Scores | Let's Talk Recruit
Feeling overwhelmed by hundreds of resumes for every job? You’re not alone! Welcome back to Let’s Talk Recruit, where we break down Zoho Recruit’s features and hiring best practices into simple, actionable insights for recruiters. Imagine having an assistantWe are unable to process your request now. Please try again after sometime or contact support@zohoaccounts.com
I cannot sign up and return the error of we are unable to process your request now. Please try again after sometime or contact support@zohoaccounts.comMulti-currency - What's cooking ?
Hi, We have been doing this feature for sometime and we would like to give you some glimpses of it. Working with Multi Currency : Multicurrency support gives you the ability to handle business transactions in multiple currencies. You can define a base currency for your organization and add more currencies with exchange rates based on the base currency. Setup : From the setup page, you can manage all the currencies supported by your organization. Currencies pageIntegrating Chatbot with Zoho Creator Application
Is it possible to integrate a chatbot with a Zoho Creator application?How to reduce programmatically the image uploaded by user?
I need a function that will automatically reduce the pixel dimension to 800 x 600 pixels / 180 resolution or (approx. 1.37MB) of image uploaded by user from digital camera, for example, 2271 x 1704 pixels /180 resolution or approx. 11.1MB. After the user selected the image, the function will able to detect if pixels is above 800x600, process the photo (crop/ reduce) and resume upload. Need help...Dark mode for Zoho Creator / Zoho CRM Code editor
Hi Team, Is there any plans for Dark mode in Zoho creator / Zoho Crm code editor and development pages in pipeline?Is there a way to make a button scroll down?
Looking to have a button on a landing page scroll down to another section on the page. Any recomendations outside of coding?Collective-booking event not added to all staff calendars
We assign two staff to certain events. When the client books this event, it adds it to one staff calendar (the 'organiser') but not the other. How can I ensure all staff assigned to a collective booking get the event in their calendar? (A side note: itIssue showing too many consultations in my workspace link.
Hi Team, I’ve set up two Workspaces to track meetings from different sources. So far, this has been working well, and the two Workspaces are differentiated without any issues. However, when I navigate to Consultations and share the link to my personalZOHO Android Client
Hi, I installed the Android app, but it had an issue, so I reinstalled it. I was able to add multiple accounts, but now when I add the next account, it just duplicates the one I already have and will not even allow me to enter the info for another account.I'd like to suggest a feature enhancement for SalesIQ that would greatly improve the user experience across different channels.
Hello Zoho Team, Current Limitation: When I enable the pre-chat form under Brands > Flow Controls to collect the visitor’s name and email, it gets applied globally across all channels, including WhatsApp, Messenger, and Instagram. This doesn't quite alignEnhance Barcode/QR Code scanner with bulk scanning or continuously scanning
Dear Zoho Creator, As we all know, after each scan, the scanning frame closes. Imagine having 100 items; we would need to tap 100 times and wait roughly 1 second each time for the scanning frame to reopen on mobile web. It's not just about wasting time;Is there a way to sync Tags between CRM and Campaigns/Marketing Hub?
I wonder if there is a way to synch the tags between CRM and Marketing-Hub / Campaigns?Non-depreciating fixed asset
Hi! There are non-depreciable fixed assets (e.g. land). It would be very useful to be able to create a new type of fixed asset (within the fixed assets module) with a ‘No depreciation’ depreciation method. There is always the option of recording landManaging Rental Sales in Zoho Inventory
I am aware that Zoho Inventory is not yet set up to handle rental sales and invoicing. Is anyone using it for rentals anyway? I'd like to hear about how others have found work arounds to manage inventory of rental equipment, rental payments, etc. ThMegamenu
Finally! Megamenu's are now available in Zoho-Sites, after waiting for it and requesting it for years! BUT ... why am I asked to upgrade in order to use a megamenu? First: Zoho promised to always provide premium versions and options for all included Zoho-applicationsCannot access KB within Help Center
Im working with my boss to customize our knowledge base, but for some reason I can see the KB tab, and see the KB categories, but I cannot access the articles within the KB. We have been troubleshooting for weeks, and we have all permissions set up, customersZoho Flow to Creator 3001 Respoonse
I have updated my Flows with the new V2 connection to Zoho Creator, but now some Flows do not work. They take in data from a Webhook and are supposed to create a record in Creator, however creator returns a 3001 message along with a failure, but I cannotFile Upload to Work Drive While Adding Records in Zoho Creator Application
Hi I am trying to set a file attachment field in zoho creator form, to enable the user to upload a scanned document from their local pc. The file should be uploaded to zoho workdrive and not to the default zoho creator storage. The file link should beCOQL order by COUNT not working
Dear community, I am trying to get a list of deal amounts per planner working on it and sorted to get see who has the least amount of deals. For some reason, I am unable to use sort by in combination with a COUNT. My original code was: query = "selectWhy not possible to generate?
Using this https://desk.zoho.com/DeskAPIDocument#TicketCount#TicketCount_Getticketcountbyfield on my ZML script url :"https://desk.zoho.com/api/v1/ticketsCountByFieldValues?departmentId=XXXXXXXXXXX&accountId!=XXXXXXXXX&customField1=cf_country_1:XXXXXX&field=overDue"email
Hi My crm email is not working, can you check, I have zoho one account.Need option to see Mass Emails & Cadences in Gmail Outbox OR a dedicated Zoho Outbox
Hi everyone, Right now, when we send 1:1 emails from gmail (with gmail API connected to Zoho CRM), those emails appear both in gmail's sent folder and in Zoho CRM. That works well. But when we send Mass Emails or Cadence emails form Zoho CRM, they areIntegración Books para cumplir la ley Crea y Crece y Ley Antifraude (VeriFactu)
Hola: En principio, en julio de 2025, entra en vigor la ley Crea y Crece y Ley Antifraude (VeriFactu). ¿Sabéis si Zoho va a cumplir con la ley para cumplir con la facturación electrónica conectada a Hacienda? GraciasI can't found API for Sales Receipts
Hello May you please help me to find an API document for Sales Receipts to get data and retrive a custom fields like Invoice and credit notes RegardsProblem with reports due to "Connected" items change
Now that the change has been made to use "connected" items I can no longer run the reporting I need in CRM. I should be able to start with Deals as the parent, connect down to the Account (Account_Name) on the deal as the child, then to any child itemsKaizen #205 - Answering Your Questions | Managing Picklists and Enabling History Tracking via Zoho CRM APIs
Hello everyone! Welcome back to another post in our Kaizen series. In this post, we will look at how you can manage picklist fields in Zoho CRM using APIs. This topic was raised as feedback to Kaizen #200, so we are taking it up here with more details.Custom Fonts in Zoho CRM Template Builder
Hi, I am currently creating a new template for our quotes using the Zoho CRM template builder. However, I noticed that there is no option to add custom fonts to the template builder. It would greatly enhance the flexibility and branding capabilities ifMultiple Vendor SKUs
One of the big concerns we have with ZOHO Inventory is lack of Vendor Skus like many other inventory software packages offer. Being able to have multiple vendor skus for the same product would be HUGE! It would populate the appropriate vendor Sku forInternally created tickets
Hi there When tickets are created internally on-behalf of customers - there is nothing to show that the ticket was created by an internal agent. This means, that it's easy for our agents to confuse tickets which were created by internal team members andSpilt Axis for stacked column and line graph
Each month around this time I prepare a business review deck. One of the biggest annoyances I have with Zoho, also happens to be something that most other platforms have provided for a long time now, and that is being able to create a chart with stackedAutomatically change website passwords
Hi everyone, We just switched to a Professional package to also use the "Automatically change website passwords" function. But I cannot find anything about it, how to use it, anywhere. Does anyone know how I can use this function? Best, CasparZoho Desk Integration - Add the option to send the estimate from the Zoho Desk Ticket Integration
Hi, Currently in the Zoho Desk integration, the user is able to create an estimate from a ticket, once the estimate is created the user can see the estimate under the ticket (see screenshot below), but is not able to send that estimate from Zoho Desk.Change Invoice Prices for an Effective Date
Hi, It would be a really good feature to be able to change the prices on invoices/recurring invoices from an effective date in the event of price increases. For instance, I am in the process of increasing prices that will be effective from a specific"Other Current Asset" accounts as "Paid Through" accounts in Expense
It would be incredibly useful to be able to assign accounts of type Other Current Asset as Paid Through accounts in Expense. Currently, Other Current Liability are permitted as Paid Through Accounts. This makes sense, as Credit Cards are current liabilities.Next Page