Kaizen #3 - Scopes in OAuth2.0 Authorization #API
Hello Everyone!
Welcome to another week of Kaizen. We hope you find this series of posts useful. Please share your feedback in the comments section and keep the discussion going.
In the last kaizen post, we discussed the OAuth2.0 protocol and Self Client. There are two types of clients in OAuth 2.0—self client and web-based applications.
What you will learn from this post?
In this post, we are going to explore different facets of "Scopes in OAuth2.0 Authorization" in detail. Towards the end of this post, we will see various errors related to scopes, and how you can handle them.
Role of scopes in OAuth2.0
To use the Zoho CRM APIs, you must authenticate the client(either self client or web-based application) to make API calls on your behalf with an access token.
The access token, in return, must be obtained from a grant token (authorization code).
Zoho CRM APIs grant access to the CRM data, only if you provide a legitimate access token.
Based on the client-type, there are two different ways to generate grant token:
a. For web-based applications
Web-based applications are chosen when it requires user intervention while authorizing your application. Now, let us see how the OAuth2.0 protocol is implemented for web-based applications.
Step 1: The web application redirects the user to the OAuth server.
Step 2: The user sees the authorization prompt and approves the app's request as shown in the below image.
Step 3: The user is redirected back to the application with an authorization code in a query string.
Step 4: The application exchanges the authorization code for an access token.
As you can see, this involves user intervention while authorizing your application.
In the above explanation, in Step 2, the user will authorize the set of permissions for which the token has to be generated.
b. For self client
In our last kaizen post, in Step 5a, you must enter the set of permissions for which the token has to be generated for a self client.
These sets of permissions you define, before you generate a token are called scopes.
Scopes play a major role in OAuth2.0 Authentication. It is required for both self-client and web-based applications.
A. What is a scope in Zoho CRM?
The word scope translates to range or extent. In OAuth2.0, scopes define the liberty of a self client/ web application on a particular resource(data in Zoho CRM). The scope controls three aspects:
- The resource to which the client application gains access. Example: Users, Modules, Files, and so on.
- The client application.
- The different types of operations that the client application can perform on that particular resource. Example: ALL, READ, WRITE, CREATE, UPDATE, DELETE.
B. How do scopes work?
The access and refresh tokens are generated based on the scopes you provide.
Based on the token, the system decides whether you have access to perform a certain operation on a particular resource. Thus, there is no room left for data theft, loss, or corruption. For example, with a token that is generated just to view records, you cannot perform the update record operation.
C. Scope Format
The format to define a scope is:
scope=service_name.scope_name.operation_type
The scope consists of three components:
- service_name - Service name will always be ZohoCRM.
- scope_name - In scope name, mention the specific resource(data in Zoho CRM) for which the permissions are being defined. It can be settings, modules, users, org, bulk, notification, or coql.
- operation_type - In operation type, mention what types of operations can be performed on that resource. The following table defines the different operation types in scope:
Operation Type | HTTP Method | Description |
READ | GET | The user can just read the data. |
CREATE | POST | The user can create records. |
WRITE | POST, PUT, DELETE | The user can create, update, and delete the records. |
UPDATE | PUT | The user can update the existing records. |
DELETE | DELETE | The user can delete the records |
ALL | GET, POST, PUT, DELETE | The user can read, create, update, and delete the records. |
CUSTOM | It depends on how it is defined in the API. | User-defined, for instance, permission to send emails to leads. |
Note:
- If you give operation type as WRITE in your scope, it is implicitly understood that you are granting permission to CREATE, UPDATE, and DELETE records.
- Similarly, if you give operation type as ALL in your scope, it is implicitly understood that you are granting permission to READ, CREATE, UPDATE, and DELETE records.
D. Types of scopes
Based on the scope and methods, scopes are broadly differentiated into two types:
- Sub-scopes
- Group Scopes
a. Sub-scopes
Here the permission is defined for a specific resource. For instance, if you want to define permissions for leads and contacts modules, the scopes will be:
ZohoCRM.modules.leads.ALL
ZohoCRM.modules.contacts.ALL
Format
scope=service_name.scope_name.sub_scope_name.operation_type
The following table gives you the data about the scopes and different sub scopes. Along with each sub-scope, you can view which resource it is associated with:
Scopes | Sub scopes |
settings- This scope usually provides access to metadata and the information on the set-up page of Zoho CRM. | territories - Data about Territory Management. custom_views - Data about custom_views created by users in all the modules. related_lists - Data about related_lists. modules - Metadata of all the modules. variables - Data about CRM Variables. tags - Data about tags. tab_groups - Data about the tab groups in Zoho CRM. fields - Data about fields in all the modules. layouts - Data about layouts in all the modules. macros - Data about macros operations. custom_links - Data about the custom links. custom_buttons - Data about the custom buttons. roles - Data about roles in your organization. profiles - Data about profiles in your organization. organization - Data about your organization. |
modules- This scope gives access to all the modules in Zoho CRM. | approvals - Data in the 'My Jobs' tab. leads accounts contacts deals campaigns tasks - Part of the 'Activities' module. cases events - Part of the 'Activities' module. calls - Part of the 'Activities' module. solutions products vendors pricebooks quotes salesorders purchaseorders invoices custom - Scopes cannot be configured for individual custom modules. Use this method for all custom modules. dashboard - Data on the dashboard page. notes - Data about notes in each record. activities - Data about events, calls, and tasks. |
Apart from the above two, other scopes are–
- users - Data about individual users in Zoho CRM. For more information, refer to Users API.
- org - Data about your organization. For more information, refer to Organization API.
- bulk - Permissions to perform bulk operations. For more information, refer to Bulk API.
- notification - Permissions to send/receive instant notifications of actions performed on a module. For more information, refer to Notification API.
- coql - Permissions to write your queries. For more information, refer to Query API.
b. Group Scopes
Format
scope=service_name.scope_name.operation_type
Imagine that you need to set permissions for all the modules. With sub-scopes, you must enter the following list of scopes—
ZohoCRM.modules.leads.ALL,ZohoCRM.modules.accounts.ALL,ZohoCRM.modules.contacts.ALL,ZohoCRM.modules.deals.ALL,ZohoCRM.modules.campaigns.ALL,ZohoCRM.modules.tasks.ALL,ZohoCRM.modules.cases.ALL,ZohoCRM.modules.events.ALL,ZohoCRM.modules.calls.ALL,ZohoCRM.modules.solutions,ZohoCRM.modules.products,ZohoCRM.modules.vendors,ZohoCRM.modules.pricebooks,ZohoCRM.modules.quotes,ZohoCRM.modules.salesorders,ZohoCRM.modules.purchaseorders,ZohoCRM.modules.invoices,ZohoCRM.modules.custom.
This is both cumbersome and exposing all these details in UI is not advisable. Thus, we came up with group scopes. With group scopes, you can define a set of permissions for a collective resource set. So, if you need to set permissions for modules, you can define the scope as:
ZohoCRM.modules.ALL—This gives the user access to perform all operations in all the modules in Zoho CRM.
E. Possible Errors
Error Code | Reason | Strategy to handle |
INVALID_SCOPE | The scope value is invalid. | Check the service name, scope name, and the sub-scope. |
INVALID_OPERATION_TYPE | The operation type is invalid. | Ensure you have defined the operation type correctly. It must be either—READ, CREATE, WRITE, UPDATE, DELETE, ALL, or CUSTOM. |
OAUTH_SCOPE_MISMATCH | The operation you performed does not have the required scope. | Check if the operation you are trying to perform is allowed in the scopes defined or not. |
Note:
The INVALID_SCOPE and INVALID_OPERATION_SCOPE errors might be thrown while generating a grant token. The OAUTH_SCOPE_MISMATCH error might be thrown while you make an API call.
F. How to revoke access?
As mentioned earlier in this post, tokens are generated based on the scopes.
There are two use-cases here.
a. If you are a user who wants to revoke the access given to any web-application, then it has to be done via accounts web UI.
To revoke the access:
Step 1: Goto https://www.accounts.zoho.com.
Step 2: Choose 'Active Authtokens'.
Step 3: Click on 'Connected Apps'. Here you will be able to see all the active applications, click on the delete button to revoke access.
b. If you are a client/developer, to revoke permissions for your self-client, you must revoke the access and refresh tokens.
You cannot revoke the access token as it expires after an hour of its generation.
To revoke the refresh token, make a POST request with the following URL:
"{{Accounts_URL}}/oauth/v2/token/revoke?token={refresh_token}"
Note that you must use domain-specific Zoho Accounts URL to revoke your refresh token.
We will meet you next week with another useful topic.
Cheers!
Previous 'Kaizen' - OAuth2.0 and Self Client #API
Next 'Kaizen' - Troubleshooting OAuth2.0
Access your files securely from anywhere
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Sneha Sridharan
Sticky Posts
Kaizen #197: Frequently Asked Questions on GraphQL APIs
🎊 Nearing 200th Kaizen Post – We want to hear from you! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Kaizen #198: Using Client Script for Custom Validation in Blueprint
Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Celebrating 200 posts of Kaizen! Share your ideas for the milestone post
Hello Developers, We launched the Kaizen series in 2019 to share helpful content to support your Zoho CRM development journey. Staying true to its spirit—Kaizen Series: Continuous Improvement for Developer Experience—we've shared everything from FAQsKaizen #193: Creating different fields in Zoho CRM through API
🎊 Nearing 200th Kaizen Post – We want to hear from you! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.Client Script | Update - Introducing Commands in Client Script!
Have you ever wished you could trigger Client Script from contexts other than just the supported pages and events? Have you ever wanted to leverage the advantage of Client Script at your finger tip? Discover the power of Client Script - Commands! Commands
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
I don't see any WITHDRAWL transaction at all
Hi I manually imported my bank statement to Zoho books today and I am a complete newbie. I have been reading the knowledgebase but unable to fix this. I only see "Uncategorized 91 DEPOSIT transactions". I don't see any WITHDRAWL transaction at all. Also,Shared inbox unable to see replies
Hi we are a small company me and someone else, we have a shared inbox for our sale@ and contact@ however we have this issue where by if i reply to an email or the other person reply to the email, it does not show it to them and therefore we end up replyingZoho Books | Product updates | August 2025
Hello users, We’ve rolled out new features and enhancements in Zoho Books. From the right sidebar where you can manage all your widgets, to integrating Zoho Payments feeds in Zoho Books, explore the updates designed to enhance your bookkeeping experience.Kaizen #136 - Zoho CRM Widgets using ReactJS
Hey there! Welcome back to yet another insightful post in our Kaizen series! In this post, let's explore how to use ReactJS for Zoho CRM widgets. We will utilize the sample widget from one of our previous posts - Geocoding Leads' Addresses in ZOHO CRM404 error at checkout
Our customers are getting a 404 error at checkout. Anyone else with the same problem?FONT Sizing in Notebook
Hi Kishore - What is the status of adding font sizing to the application? I have several things that I have pasted directly into Notebook and the fonts are HUGE! I would like the ability to highlight them and reduce the font to a legible size. NothingCan managers Upload documents to their direct rapports?
Admin employees have the ability to upload documents to employees' files; however, managers do not have add/manage button - is it possible for managers to upload their direct reports' documents, such as absence documents or 121 documents. Is there somethingLeave balance display for next year
Is there a way to not have a rollover or not limit the leave balance depending on the date. For example an employee has 10 days leave balance and wants to apply for January leave in December. They cant because the rollover doesnt show the leave balancePlease add an “Auto-Apply Unused Credits” toggle
Hello — please add a simple org-level option to automatically apply unused credits (credit notes, excess payments, retainers) to new invoices and/or bills. An ON/OFF toggle with choices “invoices”, “bills”, or “both” would save lots of manual work forZoho Books not working/loading
Hi! I haven't been able to access/load Zoho Books for the past hours. I get a time out (and it is not due to my internet connection). Could you please check this asap? Thank you!Custom Fields with Data Types for Expense and Payments Received in Zoho Books
Hi all, We are glad to present to you, the option to create Custom Fields for the Expense and Payments received modules in Zoho Books. This also comes with an icing on top of it - Yes, the custom fields can now be created with different data types. Types like Text, Number, Decimal, Amount, Auto Number and Check Box are supported as of now. Rush to the gear icon at the top right corner, select 'More Settings', choose 'Preferences' in the left pane. Click the Expense/Payment preferences where you can[Webinar] Automate sales and presales workflows with Writer
Sales involves sharing a wide range of documents with customers across the presales, sales, and post-sales stages: NDAs, quotes, invoices, sales orders, and delivery paperwork. Generating and managing these documents manually slows down the overall salesZoho Cliq - Incident alert (Server outage - IN DC) | August 28
We've received server down alerts and are currently investigating the issue (IN DC) to find the root cause. Our team is actively working to restore normal operations at the earliest. Status: Under investigation Start time: 09:44:21 AM IST Affected location:Claude + MCP Server + Zoho CRM Integration – AI-Powered Sales Automation
Hello Zoho Community 👋 I’m excited to share a recent integration we’ve worked on at OfficehubTech: ✅ Claude + MCP Server + Zoho CRM This integration connects Zoho CRM with Claude AI through our custom MCP Server, enabling intelligent AI-driven responsesHow can I see content of system generated mails from zBooks?
System generated mails for offers or invices appear in the mail tab of the designated customer. How can I view the content? It also doesn't appear in zMail sent folder.Limitations on editing a message in Cliq
Hi I've checked the documentations and there's no mention of how many times a message can be edited. When trying with code, I get various numbers such as ~1000 edits or so. Please mention if there's a limit on how many times one can change a message viaProblem with reports due to "Connected" items change - Yes this IS a problem
Now that the change has been made to use "connected" items I can no longer run the reporting I need in CRM. I should be able to start with Deals as the parent, connect down to the Account (Account_Name) on the deal as the child, then to any child itemsCRM x WorkDrive: File storage for new CRM signups is now powered by WorkDrive
Availability Editions: All DCs: All Release plan: Released for new signups in all DCs. It will be enabled for existing users in a phased manner in the upcoming months. Help documentation: Documents in Zoho CRM Manage folders in Documents tab Manage filesNarrative 10: Assignment Rules - Streamlining Ticket Management
Behind the scenes of a successful ticketing system: BTS Series Narrative 10: Assignment Rules - Streamlining Ticket Management In the complex world of customer support, a flood of incoming tickets can hit the help desk in seconds. Businesses must do moreFree webinar! Digitize recruitment and onboarding with Zoho Sign and Zoho Recruit
Hello, Tired of being buried in onboarding paperwork? With the integration between Zoho Sign and Zoho Recruit, a powerful applicant tracking system, you can digitize and streamline the entire recruitment and onboarding process, all from one platform.Custom form - Duplicate Value Present
I am new to Zoho People. I create a new form on Zoho People quite simple. A date (by default the current date) and a radio button with 3 options (Yes, No, Not applicable) I defined the date as ‘No duplicate’ as only one entry by date is allowed. I added:Zoho API connection issues
Hi, Today at around 1930 GMT our application started experiencing intermittent timeouts from the Zoho API. These intermittent timeouts are not enabling our app to work properly. The API connection was working just fine before. HTTPSConnectionPool(host='www.zohoapis.com',Query Regarding our Partnership between AIC-JKLU and Zoho
Dear Zoho Team, I am writing to raise a concern on behalf of AIC-JKLU, one of Zoho’s incubator partners. Recently, our startups have been facing difficulties while trying to get themselves onboarded on Zoho through our dedicated partner link. Unfortunately,Getting events in the future
Hi I am trying to get events in the future by calling this API Endpoint https://www.zohoapis.eu/crm/v8/Events?fields=Event_Title,Created_By,Created_Time,Start_DateTime But that gives me all events in the database. How do I make a query that returns allCreated Date/Invalid Fields
Since Saturday we have suddenly had issues with our webhooks and data retrieval from CRM. Specifically how Created Date is handled. It appears there was some sort of change within CRM that broke a lot of our code that has been in place for several years.Problem for EU users connecting Zoho CRM through Google Ads for Enhanced conversions
Has anyone else experienced this problem when trying to connect Zoho CRM through Google Ads interface to setup enhanced conversions? Did you guys get it fixed somehow? The Problem: The current Google Ads integration is hardcoded to use Zoho's US authenticationintegration zoho form - drive
I integrated my form with Google Drive. The report of user submissions from the Google Form becomes a Google Sheets table. When I used Google Forms for the same task, the summary sheet adapted to the form. For example, if I added a new field to the form,Revenue Management: #9 Revenue Recognition in Media & Publishing
Media & Publishing industry has evolved in recent times. It offers subscriptions, bundles digital and print access, runs sponsored content, and sometimes even sells ad spaces. If you run a media or publishing business, you will always get into a situationZoho CRM Community Digest - July 2025 | Part 2:
Hello, Everyone! We’re closing out July with a can’t-miss highlight: Zoholics Europe 2025! Happening from September to October, it’s your chance to level up your CRM skills, covering everything from automation and CPQ to dashboards and advanced workflows.How can I trigger a flow action only once while updating contact?
Hi, we have a trigger to merge&mail file when the field YYY is filled out. For this acion I used "Create or update module entry". But unfortunately we get tens of email on a day with this merged file, because the contact is being regularly updated. TheClone a Module??
I am giong to repurpose the Vendors module but would like to have a separate but very similar module for another group of contacts called Buyers. I have already repurposed Contacts to Sellers. Is it possible to clone (make a duplicate) module of VendorsCopy a Record Template from one Form to another
I have a Creator application with several forms. I developed a record template for one of the reports/forms but want to use most of it for another of the form/report combinations in the application. Is there a way to copy the template (code or otherwise) to another form?Tip of the Week #70 – Create common team signatures for your shared inboxes
Did you know that a small detail, such as an email signature, can make a big difference in how your brand is perceived? One simple yet smart way to enhance your team’s communication is by creating common team signatures for your shared inboxes. InsteadEnhanced data export features: XLSX format, custom character encoding, and selective record export
Greetings all, Here are a few enhancements related to exporting CRM data, including the ability to export data in XLSX file format now. The Export feature under Data Administration now offers new options that expand its flexibility and enable users toTip #42 – How to manage data security with Privacy Settings – 'Insider Insights'
Data privacy is a cornerstone of trust in remote support. Through Privacy Settings in Zoho Assist, you can set up how data is gathered, stored, and handled in your organization. These settings ensure compliance, data protection for sensitive details,Zoho DataPrep and File Pattern configuration
I'm using Zoho data prep to ingest data from One Drive into Zoho Analytics... The pipeline is super simple but I can't any way to get all the files that I need. Basically I need to bring all the files with a certain pattern and for that I'm using a regexIntroducing Dark Mode / Light Mode : A New Look For Your CRM
Hello Users, We are excited to announce a highly anticipated feature - the launch of Day, Night and Auto Mode implementation in Zoho CRM's NextGen user interface! This feature is designed to provide a visually appealing and comfortable experience forQuick Item Search & Auto-suggestion for Invoices
Hi Team, I am facing an issue while creating invoices in Zoho Books. Currently, I have to type the full item name in the correct sequence and spelling for it to appear. For example, my item name is: "Distemper Acri Silk Special White 10kg" If I type somethingEmpowered Custom Views: Cross-Module Criteria Now Supported in Zoho CRM
Hello everyone, We’re excited to introduce cross-module criteria support in custom views! Custom views provide personalized perspectives on your data and that you can save for future use. You can share these views with all users or specific individualsTicketbai! en el Pais Vasco
Hola a todos, En enero de 2.022 se va a implantar en el país vasco un nuevo sistema de facturación, denominado ticketbai!, ¿hay alguna previsión de realizar las adaptaciones en zoho books o zoho invoices? Ignoro la cantidad de clientes que tienen estasNext Page