Kaizen #3 - Scopes in OAuth2.0 Authorization #API
Hello Everyone!
Welcome to another week of Kaizen. We hope you find this series of posts useful. Please share your feedback in the comments section and keep the discussion going.
In the last kaizen post, we discussed the OAuth2.0 protocol and Self Client. There are two types of clients in OAuth 2.0—self client and web-based applications.
What you will learn from this post?
In this post, we are going to explore different facets of "Scopes in OAuth2.0 Authorization" in detail. Towards the end of this post, we will see various errors related to scopes, and how you can handle them.
Role of scopes in OAuth2.0
To use the Zoho CRM APIs, you must authenticate the client(either self client or web-based application) to make API calls on your behalf with an access token.
The access token, in return, must be obtained from a grant token (authorization code).
Zoho CRM APIs grant access to the CRM data, only if you provide a legitimate access token.
Based on the client-type, there are two different ways to generate grant token:
a. For web-based applications
Web-based applications are chosen when it requires user intervention while authorizing your application. Now, let us see how the OAuth2.0 protocol is implemented for web-based applications.
Step 1: The web application redirects the user to the OAuth server.
Step 2: The user sees the authorization prompt and approves the app's request as shown in the below image.
Step 3: The user is redirected back to the application with an authorization code in a query string.
Step 4: The application exchanges the authorization code for an access token.
As you can see, this involves user intervention while authorizing your application.
In the above explanation, in Step 2, the user will authorize the set of permissions for which the token has to be generated.
b. For self client
In our last kaizen post, in Step 5a, you must enter the set of permissions for which the token has to be generated for a self client.
These sets of permissions you define, before you generate a token are called scopes.
Scopes play a major role in OAuth2.0 Authentication. It is required for both self-client and web-based applications.
A. What is a scope in Zoho CRM?
The word scope translates to range or extent. In OAuth2.0, scopes define the liberty of a self client/ web application on a particular resource(data in Zoho CRM). The scope controls three aspects:
- The resource to which the client application gains access. Example: Users, Modules, Files, and so on.
- The client application.
- The different types of operations that the client application can perform on that particular resource. Example: ALL, READ, WRITE, CREATE, UPDATE, DELETE.
B. How do scopes work?
The access and refresh tokens are generated based on the scopes you provide.
Based on the token, the system decides whether you have access to perform a certain operation on a particular resource. Thus, there is no room left for data theft, loss, or corruption. For example, with a token that is generated just to view records, you cannot perform the update record operation.
C. Scope Format
The format to define a scope is:
scope=service_name.scope_name.operation_type
The scope consists of three components:
- service_name - Service name will always be ZohoCRM.
- scope_name - In scope name, mention the specific resource(data in Zoho CRM) for which the permissions are being defined. It can be settings, modules, users, org, bulk, notification, or coql.
- operation_type - In operation type, mention what types of operations can be performed on that resource. The following table defines the different operation types in scope:
Operation Type | HTTP Method | Description |
READ | GET | The user can just read the data. |
CREATE | POST | The user can create records. |
WRITE | POST, PUT, DELETE | The user can create, update, and delete the records. |
UPDATE | PUT | The user can update the existing records. |
DELETE | DELETE | The user can delete the records |
ALL | GET, POST, PUT, DELETE | The user can read, create, update, and delete the records. |
CUSTOM | It depends on how it is defined in the API. | User-defined, for instance, permission to send emails to leads. |
Note:
- If you give operation type as WRITE in your scope, it is implicitly understood that you are granting permission to CREATE, UPDATE, and DELETE records.
- Similarly, if you give operation type as ALL in your scope, it is implicitly understood that you are granting permission to READ, CREATE, UPDATE, and DELETE records.
D. Types of scopes
Based on the scope and methods, scopes are broadly differentiated into two types:
- Sub-scopes
- Group Scopes
a. Sub-scopes
Here the permission is defined for a specific resource. For instance, if you want to define permissions for leads and contacts modules, the scopes will be:
ZohoCRM.modules.leads.ALL
ZohoCRM.modules.contacts.ALL
Format
scope=service_name.scope_name.sub_scope_name.operation_type
The following table gives you the data about the scopes and different sub scopes. Along with each sub-scope, you can view which resource it is associated with:
Scopes | Sub scopes |
settings- This scope usually provides access to metadata and the information on the set-up page of Zoho CRM. | territories - Data about Territory Management. custom_views - Data about custom_views created by users in all the modules. related_lists - Data about related_lists. modules - Metadata of all the modules. variables - Data about CRM Variables. tags - Data about tags. tab_groups - Data about the tab groups in Zoho CRM. fields - Data about fields in all the modules. layouts - Data about layouts in all the modules. macros - Data about macros operations. custom_links - Data about the custom links. custom_buttons - Data about the custom buttons. roles - Data about roles in your organization. profiles - Data about profiles in your organization. organization - Data about your organization. |
modules- This scope gives access to all the modules in Zoho CRM. | approvals - Data in the 'My Jobs' tab. leads accounts contacts deals campaigns tasks - Part of the 'Activities' module. cases events - Part of the 'Activities' module. calls - Part of the 'Activities' module. solutions products vendors pricebooks quotes salesorders purchaseorders invoices custom - Scopes cannot be configured for individual custom modules. Use this method for all custom modules. dashboard - Data on the dashboard page. notes - Data about notes in each record. activities - Data about events, calls, and tasks. |
Apart from the above two, other scopes are–
- users - Data about individual users in Zoho CRM. For more information, refer to Users API.
- org - Data about your organization. For more information, refer to Organization API.
- bulk - Permissions to perform bulk operations. For more information, refer to Bulk API.
- notification - Permissions to send/receive instant notifications of actions performed on a module. For more information, refer to Notification API.
- coql - Permissions to write your queries. For more information, refer to Query API.
b. Group Scopes
Format
scope=service_name.scope_name.operation_type
Imagine that you need to set permissions for all the modules. With sub-scopes, you must enter the following list of scopes—
ZohoCRM.modules.leads.ALL,ZohoCRM.modules.accounts.ALL,ZohoCRM.modules.contacts.ALL,ZohoCRM.modules.deals.ALL,ZohoCRM.modules.campaigns.ALL,ZohoCRM.modules.tasks.ALL,ZohoCRM.modules.cases.ALL,ZohoCRM.modules.events.ALL,ZohoCRM.modules.calls.ALL,ZohoCRM.modules.solutions,ZohoCRM.modules.products,ZohoCRM.modules.vendors,ZohoCRM.modules.pricebooks,ZohoCRM.modules.quotes,ZohoCRM.modules.salesorders,ZohoCRM.modules.purchaseorders,ZohoCRM.modules.invoices,ZohoCRM.modules.custom.
This is both cumbersome and exposing all these details in UI is not advisable. Thus, we came up with group scopes. With group scopes, you can define a set of permissions for a collective resource set. So, if you need to set permissions for modules, you can define the scope as:
ZohoCRM.modules.ALL—This gives the user access to perform all operations in all the modules in Zoho CRM.
E. Possible Errors
Error Code | Reason | Strategy to handle |
INVALID_SCOPE | The scope value is invalid. | Check the service name, scope name, and the sub-scope. |
INVALID_OPERATION_TYPE | The operation type is invalid. | Ensure you have defined the operation type correctly. It must be either—READ, CREATE, WRITE, UPDATE, DELETE, ALL, or CUSTOM. |
OAUTH_SCOPE_MISMATCH | The operation you performed does not have the required scope. | Check if the operation you are trying to perform is allowed in the scopes defined or not. |
Note:
The INVALID_SCOPE and INVALID_OPERATION_SCOPE errors might be thrown while generating a grant token. The OAUTH_SCOPE_MISMATCH error might be thrown while you make an API call.
F. How to revoke access?
As mentioned earlier in this post, tokens are generated based on the scopes.
There are two use-cases here.
a. If you are a user who wants to revoke the access given to any web-application, then it has to be done via accounts web UI.
To revoke the access:
Step 1: Goto https://www.accounts.zoho.com.
Step 2: Choose 'Active Authtokens'.
Step 3: Click on 'Connected Apps'. Here you will be able to see all the active applications, click on the delete button to revoke access.
b. If you are a client/developer, to revoke permissions for your self-client, you must revoke the access and refresh tokens.
You cannot revoke the access token as it expires after an hour of its generation.
To revoke the refresh token, make a POST request with the following URL:
"{{Accounts_URL}}/oauth/v2/token/revoke?token={refresh_token}"
Note that you must use domain-specific Zoho Accounts URL to revoke your refresh token.
We will meet you next week with another useful topic.
Cheers!
Previous 'Kaizen' - OAuth2.0 and Self Client #API
Next 'Kaizen' - Troubleshooting OAuth2.0
Access your files securely from anywhere
Centralize Knowledge. Transform Learning.
All-in-one knowledge management and training platform for your employees and customers.
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Sneha Sridharan
Sticky Posts
Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #226: Using ZRC in Client Script
Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In thisKaizen #222 - Client Script Support for Notes Related List
Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore howKaizen #217 - Actions APIs : Tasks
Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.Kaizen #216 - Actions APIs : Email Notifications
Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Where Do I set 24h time format in Cliq?
Where Do I set 24h time format? Thanks🎉 ¡Seguimos trayendo novedades a Español Zoho Community! 🎉 Confirmada la agenda y ubicación para los Workshops Certificados
Si todavía no te has hecho con tu entrada para nuestros Workshops Certificados del próximo 26 y 27 de marzo o, por el contrario, estabas esperando que confirmáramos dónde los celebraremos, ¡este post es para ti! 📍¿Dónde nos vemos?📍 Nuestros WorkshopsUser is already present in another account error in assigning users to marketing automation
Hello everyone Greeting, I had a problem in assigning user in marketing automation, when I try to add it I see this error: (User is already present in another account error) what should I do?How do I get complete email addresses to show?
I opened a free personal Zoho email account and am concerned that when I enter an email address in the "To", "CC", fields, it changes to a simple first name. This might work well for most people however I do need to see the actual email addresses showingWhat's New in Zoho POS - January 2026
Hello everyone, Welcome to Zoho POS’s monthly updates, where we share our latest feature updates, enhancements, events, and more. Let’s take a look at how January went. Sort and resolve conflicts Conflicts are issues that may arise when registers andOutlook is blocking incoming mail
Outlook is blocking all emails sent from the Zoho server. ERROR CODE :550 - 5.7.1 Unfortunately, messages from [136.143.169.51] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150). It looksNot receiving email from customers and suppliers
I am getting error . most of the customers tell me not able to send me email please check i have attached screenshotCreate user
Hello I want to create user, but i get this error Unusual activity detected from this IP. Please try again after some time.File emails in Shared email folder
Hi, I am unable to allow users to collaborate in Shared email folders: User 1 shares a folder let's say "SharedTopic" with full permissions Users 2 and 3 can see this folder but are unable to add emails to this folder or search in this folder. For example,Consolidated report for multi-organisation
I'm hoping to see this feature to be available but couldn't locate in anywhere in the trial version. Is this supported? The main aim to go to ERP is to have visibility of the multi-organisation in once place. I'm hopeful for this.How to Switch from Outlook for Mac to Outlook for Windows
The most often used file formats for users to manage crucial data are OLM and PST files. PST files keep a copy of data on the configured system from Outlook, while the OLM file contains the Mac Outlook data items, which are only accessible with OutlookName autocomplete
Hi, During searching emails the web tool does not always propose the auto-completion of the saved emails. As a result I either have to go to contacts and look up the exact email, or the exact full name including the middle name and any dots, which isAre custom portals accessible on the Zoho learn smartphone app?
In other words, can users external to my organisation, once signed up, use the app in the same way as internal users? ThanksHow to increase my Zoho sign limit.
I cannot send a document/contract for signature. Zoho sign says I reached my monthly limit. May I know how to fix this please? Thanks!Can not add m365 outlook account to zohomail.
I am attempting to use zoho mail as an imap client to add my outlook.com m365 account. In the m365 exchange admin center i have made sure the imap is enabled. In zoho mail i go to settings, mail accounts, add account, add imap account, i select "outlook",Unable to attach Work Order / Service Appointment PDF to Email Notifications (Zoho FSM)
I’m trying to include the Work Order PDF or Service Appointment PDF as an attachment in Email Notifications (automation/notification templates), but I don’t see any option to attach these generated PDFs. Is this currently supported in Zoho FSM? If not,local file csv import problem
The issue occurs when I upload a CSV file via Databridge. In the preview, everything looks correct — the values are in the proper columns. However, after clicking Import, the first column becomes empty, and the values from that column appear in a newFunción Deshacer y Rehacer
Hola. Soy un reciente usuario de Zoho Notebook que he migrado desde Evernote. He encontrado en falta una función que considero muy importante: un botón para "deshacer". Es frustrante cuando se borra un parte del texto o un archivo de una nota, generalmenteTip #59- Technician Console: Exploring View option- 'Insider Insights'
Hello Zoho Assist Community! Ever wondered how technicians adapt quickly during a live support session? Imagine a customer reaching out with an issue that’s disrupting their work. The technician starts a remote session and begins troubleshooting rightMRP or Manufacturing Module for Zoho
We have been searching for options for a production planning or MRP that will integrate with Zoho. Zoho Creator is pushed as a platform that can have an MRP built from scratch but we would like to find more of an out of the box solution and modify it to fit our needs. Are there any recommendations? Would Zoho consider creating a custom solution in Creator to support this need?encountering an error when attempting to associate an email with a Deal using the Zoho CRM extension in Zoho Mail.
When I click "Yes, associate," the system displays an "Oops!! Something went wrong" error message. I have attached a screenshot of the issue for reference.Can 1 Zoho CRM instance sync with 2 Zoho Marketing Automation instances?
Can 1 Zoho CRM instance sync with 2 Zoho Marketing Automation instances?Can I add Conditional merge tags on my Templates?
Hi I was wondering if I can use Conditional Mail Merge tags inside my Email templates/Quotes etc within the CRM? In spanish and in our business we use gender and academic degree salutations , ie: Dr., Dra., Sr., Srta., so the beginning of an email / letterZoho mail account ownership transfer
We recently took over another company and have assumed responsibility for its Zoho account, including Zoho Mail and all related services. We would like to formally transfer ownership of this account to our organization. Could you please outline the completeEmail Authentication is Failing
I'm trying to setup gitlab with email authentication. I used the following configs picked up from: https://docs.gitlab.com/omnibus/settings/smtp/ gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_address'] = "smtp.zoho.com" gitlab_rails['smtp_port']DMARC reports for mail I didn't send: how to deal with?
I know the enthusiastic amateur's bare minimum about e-mail; am able to set up a Thunderbird account and know the basic acronyms. I have a Zoho Mail account connected to my domain, and have set up SPF, DMARC and DKIM successfully according to Zoho's instructionms
Email set up for communicationFix the speed
It takes ages to load on every step even though my dataset is quite small.Capture Bank Charges for Invoice Payments
We've added the Bank Charges field in the "Add Payments" page both in Zoho Invoice & Zoho Books. So all you need to do is to enter the bank charges when you record a payment for the invoices. This bank charge will be included to the amount paid for that invoice. Steps to add the bank charges while you record the payment: 1. Click the "Invoices" sub-tab under the "Money-In" tab. 2. Click the 'add payment' link for the invoice that you wish to record the payment for. 3. On the addImage field in custom module
Hi guy, Is there any hope of adding a custom image field in the custom module? We created a custom module to keep track of assets, and it would be helpful if we could attach an image to the record. Thanks RudyDeluge Function to Update Custom Field
I'm trying to get a Deluge function (which will run as part of a Schedule in Desk) that retrieves all tickets with the status "Recurring" and updates the custom field checkbox "cf_recurring" to "true". Here's what I have, which doesn't work: searchValue"View ticket" link is broken
The "View ticket" link in our Zoho ticketing system confirmation emails is broken (please see attached). Impacts ability to update/review details, and, refresh recollection at a later date. Any help would be much appreciated.import data from Apollo.ai into zoho crm via zoho flow
I might be asking this question in the wrong forum. We use Apollo.ai to find potential new leads for our business, there are around 10000 leads that we have initially found. We have an Apollo.ai account but just to do searches, we dont use it as a crm.Woocommerce Line Item Information
I'd like to add each line item from a Woocommerce order to a zoho creator form record. The line items are found within the line items array, but I'm not sure how to get each item out of the array? Any help would be much appreciated.Synching changes to Stripe when changes are made in Zoho Billing
We have a situation where we have merged customers in Zoho BIlling and then found out later that the payment in Stripe was not updated and still associated with the old customer record. The card gets updated and billed, but that payment is still associatedHow do I fix this? Unable to send message; Reason:554 5.1.8 Email Outgoing Blocked.
How do I fix this? Unable to send message; Reason:554 5.1.8 Email Outgoing Blocked.Disable Smart Filters By Default
The smart filters "feature" is causing confusion for Zoho Mail users. New emails should be delivered to the inbox unless they have specifically opted to redirect them somewhere else. People don't understand that new emails might be waiting in a randomME SALE ESTE ERROR: No fue posible enviar el mensaje;Motivo:554 5.1.8 Email Outgoing Blocked
Ayuda!! Me sale este error al intentar enviar mensajes desde mi correo electronico de Zoho! Tampoco recibo correos pues cuando me envia rebotan. Ayuda, Me urge enviar unos correo importantes!! Quedo atenta MAGDA HERNANDEZ +5731120888408Client Script | Update - Client Script Support For Custom Buttons
Hello everyone! We are excited to announce one of the most requested features - Client Script support for Custom Buttons. This enhancement lets you run custom logic on button actions, giving you greater flexibility and control over your user interactions.Zoho Mail not working
Zoho Mail not workingNext Page