Kaizen #191: Implementing "Login with Zoho" using Python SDK

      

Welcome back to another week of Kaizen!!

This week, we are diving into how to implement secure user authentication using Login with Zoho and integrate it with Zoho CRM through our Python SDK.

To ground this in a real-world scenario, we will look at how Zylker Academy, a training institute offering web design and development courses, uses an internal portal that connects directly to Zoho CRM. This setup allows course coordinators to manage student data without maintaining a separate backend database.

Zylker receives frequent student enquiries and uses Zoho CRM to manage all related information. Every course coordinator, academic advisor, and support staff member who needs access to student information is added as a user in Zoho CRM, with access permissions aligned to their role. Instead of using Zoho’s interface directly, Zylker’s team works through a custom internal web portal, tailored to their workflow. This portal connects directly to Zoho CRM, reading from and writing to it, but does not have its own database.

But before this portal can access any CRM data, it must authenticate itself securely. Every time a user opens the portal, they must log in with their Zoho account. Once authenticated, they will be granted access to the CRM modules and records they are authorized to work with. That is where Login with Zoho comes in.

What is "Login with Zoho"?

Login with Zoho is Zoho’s implementation of the OAuth 2.0 Authorization Code flow. It allows applications to authenticate users and access their Zoho CRM data without ever handling their passwords.

Instead of asking users for their Zoho credentials directly, the app redirects them to Zoho’s login screen. Here is how it works:

1. The app redirects the user to Zoho’s login page.
2. The user logs in and approves the requested permissions (scopes).
3. Zoho sends back an authorization code.
4. The backend exchanges this code for access and refresh tokens.
5. These tokens are used to make authenticated API calls.

This flow ensures that users maintain full control over their data. They can revoke access at any time, and your application never handles or stores passwords. 

In Zylker’s case, every time a coordinator opens the portal, they are prompted to log in with their Zoho account. Once authenticated, they can immediately begin working with student records—all backed by Zoho CRM.

Use Case Implementation: Zylker’s Student Management Portal

To demonstrate how this login flow works, we have built a stripped-down version of Zylker's portal:

• A front-end form to enter and view student data
• A backend server that interacts with Zoho CRM via the Zoho CRM Python SDK

The application includes a simple form for capturing student details—name, college, course, email, and phone number. Submitted data is treated as a Lead in Zoho CRM.

The app allows users to:

• Add new leads
• View a list of all registered leads
• Edit an existing lead’s information
• Delete records if necessary

All actions go straight to Zoho CRM using its Python SDK. But before any of this can happen, the user must complete the login flow.

Sample Project Structure

Before going into the implementation details, let us briefly define the components of the project.

Frontend

The frontend is a simple static web interface built with HTML, CSS, and JavaScript. It runs in the browser and handles user interactions and triggers backend API calls. These are the main files:

• index.html : Main UI for login, data entry, and record viewing.
• script.js : Contains the client-side logic to trigger login, submit data, and render records.
• redirect.html :  A minimal page used to capture the authorization code returned by Zoho after login.

The frontend is served using any static server (e.g., Live Server in VS Code) and runs on http://localhost:5501/ in our example. 

Download the files from here.

Configuration Notes:

• In script.js, update the redirect_url value in the login request to match your actual domain or port if you’re not using localhost:5501.
• Ensure the URL in the Zoho API Console matches this redirect URI and port.

Backend

The backend is a Python server that handles all interactions with Zoho CRM via the Python SDK. It includes:

• server.py : A custom HTTP server that:
• Generates the Zoho login URL
• Exchanges the authorization code for tokens
• Initializes the SDK
• Exposes endpoints like /create, /get_records, /update, and /delete
• record.py : Contains functions to create, fetch, update, and delete records in CRM modules like Leads. Each function uses the Zoho Python SDK methods to perform a specific operation.

This server runs on http://127.0.0.1:8085/ in our example. 

Download the files from here.

Configuration Notes:

• In server.py, replace the client_id with your actual client ID from Zoho's API Console.
• In record.py, replace the client_secret with your actual client secret.
• If required, change the front-end server’s host and port in the run() function at the bottom of server.py:
  def run(server_class=HTTPServer, handler_class=SDKInitialize, port=xxxx):

Sample project flow

      

Step 1: Register the application with Zoho API console

To initiate the login process, you need to register your application on the Zoho API Console. This is a one-time setup that provides your app with a Client ID and Client Secret, both of which are required to authenticate users and exchange authorization codes for tokens.

To register your application:

• Go to https://api-console.zoho.com
• Click Add Client
• Choose Server-based Applications
• Enter:
• Client Name: Zylker Academy
  
• Homepage URL: Use http://127.0.0.1:5501/index.html for local testing. In production, you must use a live HTTPS URL.
• Redirect URI: For instance, use http://127.0.0.1:5501/redirect.html for local testing. This is the endpoint to which Zoho redirects you and sends the authorization code after login. 
• Save the generated Client ID and Client Secret

We will be using these values in the backend script (server.py)  that handles token exchange.

NOTE: To support users from multiple data centres, make sure to enable multi-DC support for your application. You can do this by going to your app’s settings in the Zoho API Console and turning on the Multi-DC option.

Step 2: Implementing the login flow

Here is a walkthrough of the flow implemented in the project:

1. Page loads and triggers login

When a user opens the portal, the frontend automatically initiates the login sequence. It first makes a call to the backend to retrieve the Zoho authorization URL. 

In index.html, this triggers getRecords() on page load:

1. <body onload="getRecords();">

In script.js, getRecords() calls the login() function:

1. async function getRecords() {
2.     login();
3. }

The login() function sends a request to the backend to get the Zoho OAuth authorization URL.

2. Backend builds login URL

The backend responds with an OAuth URL that includes:

• Your client ID
• Scopes like ZohoCRM.modules.ALL
• The redirect URI

In server.py, under do_GET, the /login endpoint generates the OAuth URL:

1.    if parsed_url.path == '/login':
2.             redirect_url = query_params.get('redirect_url', [''])[0]
3.             scope = "ZohoCRM.settings.fields.ALL,ZohoCRM.modules.ALL,ZohoCRM.users.READ,ZohoCRM.org.READ"
4.             url = "https://accounts.zoho.com/oauth/v2/auth?scope=" + scope + "&client_id=" + self.client_id + \
5.                   "&redirect_uri=" + redirect_url + "&response_type=code&access_type=offline"
6.             self._set_headers()
7.             # Send response
8.             response = {"url": url, "redirect_url": redirect_url}
9.  self.wfile.write(json.dumps(response).encode('utf-8'))
   

Once the frontend (script.js) receives the login URL, it opens it in a popup window.

1. const response = await fetch('http://127.0.0.1:8085/login?redirect_url=http://127.0.0.1:5501/redirect.html');
2. const data = await response.json();
3. const popup = openCenteredPopup(data.url, "PopupWindow", 600, 400);
   

Here's an example of the Zoho OAuth authorization URL format:

      https://accounts.zoho.com/oauth/v2/auth?

      scope=ZohoCRM.modules.ALL&

      client_id=YOUR_CLIENT_ID&

      response_type=code&

      access_type=offline&

      redirect_uri=YOUR_REDIRECT_URI

3. User logs in on Zoho

The user logs in with their Zoho credentials and is prompted to approve the app's access. Once they approve, Zoho redirects them to the specified redirect URI along with an authorization code and location parameter. The location parameter indicates which data centre the user belongs to.

4. Frontend captures the authorization code

The redirect page, a minimal HTML file (redirect.html),  reads the URL parameters and stores them in localStorage, then closes the popup:

1. function setAccessToken() {
2.     var hashProps = getPropertiesFromURL();
3.     if (hashProps) {
4.         for (var key in hashProps) {
5.             if (hashProps.hasOwnProperty(key)) {
6.                 localStorage.setItem(key, hashProps[key]);
7.             }
8.         }
9.     }
10.     setTimeout(function () { window.close(); }, 0);
11. }
    

5. Token exchange and SDK initialization

Once the popup window is closed, the main window retrieves the authorization code and location and sends them to the backend’s /initialize endpoint.

In script.js:

1. var code = localStorage.getItem("code");
2. var location = localStorage.getItem("location");
3. initialize(code, location, data.redirect_url);
4. .
5. .
6. async function initialize(code, location, redirect_url) {
7.     const response = await fetch('http://127.0.0.1:8085/initialize?code=' + code + '&location=' + location + '&redirect_url=' + redirect_url);
8. }
   

In server.py, the /initialize endpoint handles SDK initialization:

1. elif parsed_url.path == '/initialize':
2.     code = query_params.get('code', [''])[0]
3.     location = query_params.get('location', [''])[0]
4.     redirect_url = query_params.get('redirect_url', [''])[0]
5.     LeadsRecords().init(self.client_id, code, location, redirect_url)
   

In record.py, the SDK is initialized and tokens are stored.

1. token = OAuthToken(client_id=client_id,
2.                    client_secret=client_secret,
3.                    grant_token=code,
4.                    redirect_url=redirect_url)
5. Initializer.initialize(environment=environment,
6.                        token=token,
7.                        logger=logger,
8.                        store=store)  # FilePersistence or custom store
   

This exchanges the authorization code for:

• An access token (valid for one hour)
• A refresh token (used to get new access tokens)

These tokens are saved in a local file (sdk_tokens.json). This is configured using Zoho’s FilePersistence class during SDK initialization 

How are tokens linked to users?

The SDK maps each access and refresh token pair to a unique user-organization combination. This means tokens generated for different organizations by the same user are stored separately. Likewise, if a user generates new tokens for the same organization, the SDK updates the existing tokens instead of creating duplicates. This ensures that API calls always use the correct tokens tied to the authenticated user and their organization. 

To enable this mapping, the SDK retrieves the user and organization information in the background. This requires the appropriate scopes to be included during authentication, ZohoCRM.users.READ and ZohoCRM.org.READ. Without these scopes, the SDK cannot identify the user-org combination correctly, which can lead to multiple token entries for the same user. That is why, in our sample project, we have included these scopes explicitly in the server.py file during the SDK initialization.

Once the SDK is initialized, the user is logged in, and the app can begin making CRM API calls on their behalf.

Step 3: Accessing Zoho CRM

Once the user is authenticated and the Zoho SDK is initialized on the backend, the frontend can call custom backend endpoints like /create or /get_records. These endpoints use the authenticated SDK instance to make CRM API calls on behalf of the user.

• GET /get_records?module=Leads : View all students
• POST /create?module=Leads : Add new student
• PUT /update?module=Leads&id=... : Edit existing entry
• DELETE /delete?module=Leads&id=... : Remove existing entry
  

Deploying the sample project

To run this application, you will need two components:

1. A frontend server to serve your HTML files (index.html, script.js, redirect.html). This can be done using any static web server (e.g., Live Server in VS Code).
2. A Python backend server that handles login, token storage, and CRM API communication. You can run it using:
   python server.py

In the given example, both servers communicate over localhost. You should set your redirect URI accordingly when registering your app in the Zoho console.

Conclusion

Login with Zoho is a secure, OAuth-based mechanism that allows users to authorize your application to access their Zoho CRM data. In this example, we built a real-world use case, a student portal for Zylker Academy, that authenticates users and interacts with CRM directly using the Zoho CRM Python SDK.

By walking through the entire flow, you now understand:

• Why OAuth is essential for secure CRM access
• How to register an application in Zoho
• What the login and token exchange flow looks like
• How to implement "Login with Zoho" in your applications

What is next?

In this project, we have used a simple file persistence method to store the token files. But in a real world scenario, this may not always meet your business requirements. In next week's Kaizen, we will implement custom token persistence instead of file persistence in the current project. We will explain how to implement this using SQLite, In-Memory and List DBs. With that, you will be equipped to implement a persistence method that fits your application architecture and deployment environment.

We hope that you found this useful. If you have any queries, let us know the comments below, or send an email to support@zohocrm.com. As always, we would love to hear from you!!

Stay tuned for next week's Kaizen : Implementing Custom Token Persistence 

             Previous Kaizen: Kaizen #190 - Queries in Custom Related Lists |  Kaizen Directory                                  

Download Links:

• Frontend Project Files 
  
• Backend Server Files             

Further Reading:

• Configuration and Initialization of Zoho CRM Python SDK (V7) for different client types
  
• Zoho CRM Scala SDK (V6) - Configuration and Initialization
  
• Zoho CRM SDKs                                                                                                                                                    

• Topic Participants

• Anu Abraham

  

• Sticky Posts

• Kaizen #198: Using Client Script for Custom Validation in Blueprint

  Nearing 200th Kaizen Post – 1 More to the Big Two-Oh-Oh! Do you have any questions, suggestions, or topics you would like us to cover in future posts? Your insights and suggestions help us shape future content and make this series better for everyone.

• Kaizen #226: Using ZRC in Client Script

  Hello everyone! Welcome to another week of Kaizen. In today's post, lets see what is ZRC (Zoho Request Client) and how we can use ZRC methods in Client Script to get inputs from a Salesperson and update the Lead status with a single button click. In this

• Kaizen #222 - Client Script Support for Notes Related List

  Hello everyone! Welcome to another week of Kaizen. The final Kaizen post of the year 2025 is here! With the new Client Script support for the Notes Related List, you can validate, enrich, and manage notes across modules. In this post, we’ll explore how

• Kaizen #217 - Actions APIs : Tasks

  Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

• Kaizen #216 - Actions APIs : Email Notifications

  Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

• Recent Topics

• The reason I switched away from Zoho Notebook

  My main reason for switching to Zoho was driven by three core principles: moving away from US-based products, keeping my data within India as much as possible, and supporting Indian companies. With that intent, I’ve been actively de-Googling my digital

• Unveiling the next iteration of Ask Zia in Zoho CRM: An all-new chat interface, conversation history, actions, and much more

  Your CRM assistant just leveled up. Zoho CRM's Ask Zia functionality now offers a more conversational and context-aware experience to help you not just understand your data, but act on it—all from one chat window. With its redesigned interface and expanded

• Response rate and time on social media

  Hello, I just want to know if it's possible to manage the response rate and response time from my social media on zoho social ? I don't see any statistical reports on the online scoreboard ? Thank you in advance for your response and sorry if the question has already been posted

• Whatsapp BOT with CRM

  Hello, how do you use Whatsapp integrations in zoho CRM?

• Ability to translate Zoho CRM Kiosks

  Hi team, Is support for translating kiosk text and screen names in the Zoho CRM translation tool planned on the roadmap? Thanks,

• Whatsapp Limitation Questions

  Good day, I would like to find out about the functionality or possibility of all the below points within the Zoho/WhatsApp integration. Will WhatsApp buttons ever be possible in the future? Will WhatsApp Re-directs to different users be possible based

• Editing the list of Categories in the Categorize Manually section of Banking in Zoho Books

  Hi, I need to create two new Categories called Withdrawals and Deposits to categorize payments in a bank account. How do I edit the Categories list?

• [Free Webinar] Intelligent document processing with Zoho RPA

  Hello everyone! Greetings from the Zoho RPA team! We're excited to invite you to our upcoming webinar on intelligent document processing with Zoho RPA, where we'll introduce powerful new capabilities designed to make your automation journey smarter, faster,

• Send emails directly via Cases module

  Greetings all, The ability to send emails from the Cases module, which users have been eagerly anticipating, is now available, just like in the other modules. In Zoho CRM, Cases is a module specifically designed for managing support tickets. If your organization

• Webinar Alert: Supercharge landing pages with data insights | Zoho LandingPage

  Every visitor to your landing page leaves behind valuable data, but are you leveraging it to improve conversions? Join our expert-led Landing Page Analytics webinar to learn how to track, analyze, and optimize landing page performance with Zoho LandingPage’s

• Bulk Deletion of Zoho Projects Using Node.js and Zoho Projects API

  Zoho Projects currently does not provide a built-in option to delete multiple projects in bulk from the UI. When working with testing environments or large numbers of temporary projects, deleting them one by one becomes time-consuming. To address this,

• Show unsubscribed contacts ?

  Hello, I would like to display the unsubscribed contacts. Unfortunately, I do not have this subscription type as described in the documentation (https://help.zoho.com/portal/en/kb/marketing-automation-2-0/user-guide/contacts/contact-management/articles/subscription-type-24-1-2024#Subscription_Type_field.)

• Track Marketing Automation Campaigns in Zoho CRM

  Hello, I've been searching but haven't found the exact answer to this question. I am looking to track Marketing Automation email campaigns and activities inside of Zoho CRM. Use Case: Action: Prospect Submits A Lead Form Outcomes: Prospect created in

• Validation rule for Date field

  The condition settings for a Date field are are absolutlly usless. Conditions can only be set for a specific date, which is logically ineffective in most cases. When setting a condition for a Date field, users usually need to compare the value relative

• Easily map shift data fields during user imports

  Greetings all, You can now include all your shift-related data for your users without any hassle during user imports. With this enhancement, the Map Import Fields to Zoho CRM option includes all shift-related fields: Current Shift, Next Shift, and Shift

• How do you arrange order in which the speakers are listed in a session once they have been selected?

  Probably another simple thing I've missed but I can't find how to arrange the order in which the speakers are listed in a session once they have been selected. We usually want the speakers listed alphabetically by last name, but sometimes not. Once the

• Product Updates in Zoho Workplace applications | February 2026

  Hello Workplace Community, Let’s take a look at the new features and enhancements that went live across all Workplace applications for the month of February. Zoho Mail Organize Personal Notes with Collections You can now create collections under My Personal

• Introducing note actions and dynamic visibility in Kiosk Studio

  Hello all, We are introducing enhancements to Kiosk Studio that will improve the product scope and meet your custom needs more precisely. What's new? Add notes as Actions: You can add notes to CRM records as kiosk Actions, as well as insert merge fields

• Regarding the Recipient Email change

  I was not being able to change the Recipient email. Kindly resolve the problem

• Request to Customize Module Bar Placement in New Zoho CRM UI

  Hello Support and Zoho Community, I've been exploring the new UI of Zoho CRM "For Everyone" and have noticed a potential concern for my users. We are accustomed to having the module names displayed across the top, which made navigation more intuitive

• kanban view for client portal

  Are kanban views an option for client portals? Access to Kanban views in the client portals would solve some mobile-compliant issues I have with the UI. Kanban functions very nicely on mobile and would be a super asset for my clients and vendors as they

• 【Zoho CRM】サンドボックスのアップデート：メール送信トレイ機能の追加

  ユーザーの皆さま、こんにちは。コミュニティチームの藤澤です。 CRMのサンドボックス（テスト環境）にメールの送信トレイ機能が追加されました。 本番環境でメール配信の前に、サンドボックスで送信される全てのメールを確認・検証できます。ワークフロー、承認プロセス、一括送信など、あらゆる送信パターンに対応しています。 「メールの送信トレイ」機能を使うと、顧客へ送信する前にメールの内容を事前確認できます。項目の欠落や書式の乱れなど、あらゆる問題をサンドボックス内でチェックできるため、本番環境でのトラブルを未然に防ぐことに役立ちます。

• Force mandatory entry on one of two fields on Contacts

  We are finding our users aren't always entering a phone number or email address of a contact. We would like to make these fields mandatory but realize they won't always have both pieces of information, but should at least have one. Is there a way to make

• How can I prevent having recepients from being added as contacts in Zoho Desk?

  How can I prevent having recepients from being automatically added as contacts in Zoho Desk? There's no option to disable this.

• Agent Concern

  would like to ask the difference between an agent and a light agent. can a light agent close a ticket. thank you.

• Train Zoho Answer Bot Based on Customer

  Hi all, Is it currently possible to mark Help Centre articles to a specific customer, and restrict the answer bot to only use relevant information if it is either marked as "General", or tagged for the specific customer in question? We currently have

• Non-depreciating fixed asset

  Hi! There are non-depreciable fixed assets (e.g. land). It would be very useful to be able to create a new type of fixed asset (within the fixed assets module) with a ‘No depreciation’ depreciation method. There is always the option of recording land

• An internal server error occurs when attempting to upload the FCM Credential (JSON) to enable push notifications

  When I go to the Push Notifications Configuration section of the SalesIQ dashboard and try to upload an FCM credential file, a server error appears.

• Will Zoho Search work with Zoho Learn

  Currently, Zoho Search only works with Zoho Wiki which will be phased out.  Moving forward, will Zoho Search be enabled for Zoho Learn? Thanks.

• How to use filters on all products page? Or even a category page?

  Hello, I am trying to create some filters so users can use filters to find products they are looking for. So what i am trying is to create a filter according to price lets say. So if i define it this way i am expecting to see this filter option on category

• Zoho Projects app update: Voice notes for Tasks and Bugs module

  Hello everyone! In the latest version(v3.9.37) of the Zoho Projects Android app update, we have introduced voice notes for the Tasks and Bugs module. The voice notes can be added as an attachment or can be transcribed into text. Recording and attaching

• Boas práticas de desenvolvimento em Deluge

  O Deluge (Data Enriched Language for the Universal Grid Environment) é a linguagem de script utilizada em diversas aplicações do ecossistema Zoho, como Zoho Creator, Zoho CRM, Zoho Books e Zoho Flow. Ela foi projetada para permitir automações rápidas

• How do I automate my package and shipment process

  Hey, I have a very basic problem regarding automating my package and shipment. My business does not require me to have those modules and manage them currently and since I'm new to zoho I want to start with just the basics. I just need to automatically

• How do I automate my package and shipment process

  Hey, I have a very basic problem regarding automating my package and shipment. My business does not require me to have those modules and manage them currently and since I'm new to zoho I want to start with just the basics. I just need to automatically

• Support - what am I doing wrong?

  Hi Everyone - I'm a new user and looking particularly for a replacement mail service. I'm just a home user not a professional but I do look after half a dozen domains. Zoho looks lovely and I'd like to switch but just want to get answers to a few 'easy'

• Intergrating multi location Square account with Zoho Books

  Hi, I have one Square account but has multiple locations. I would like to integrate that account and show aggregated sales in zoho books. How can I do that? thanks.

• Is there a way to configure dark mode for Campaigns emails that go out to customers?

  I've found a lot of information on how to configure dark mode for my (The user) personal Zoho workspace and email, but is there any way to edit dark mode settings on emails that we send out to customers via campaigns?  We sent out a test email the other

• Auto-publish job openings on my Zoho Recruit Careers Website

  I have developed a script using the Zoho Recruit API that successfully inserts new jobOpening records to my Zoho Recruit website, but my goal is to auto-publish to the Careers Website. The jobOpening field data shows two possible candidates to make this

• Credit Card Terminal for Zoho Books

  Hello, Instead of punching the credit card number manually for customer payment, do you have a third-party hardware credit card reader that works with Braintree? Thank You

• How do you print out the invoices comments

  I have some invoices where i need to print out the comments that show when reminders and etc were sent how do we print those out in Zoho Books.

• Next Page