Org-specific OAuth2.0 Tokens in Zoho CRM

Org-specific OAuth2.0 Tokens in Zoho CRM

Hello everyone!

This post is to inform you that there is an update to the OAuth2.0 flow for CRM while generating the authorization code (grant token).

Web-based Clients
The Current Flow
  1. The user clicks the Login with Zoho button on any third-party app.
  2. The app redirects the user to the Zoho Login page, and the user enters the Zoho credentials.
  3. A pop-up, similar to the one below, appears asking for the user's consent that the app wants to access certain user data.
  4. When the user clicks the Accept button, Zoho Accounts redirects the user to the app with the authorization code (grant token) in the URL.
  5. Using this grant token, the app owner generates access and refresh tokens to access user's data.
  6. The app can use the same access and refresh token regardless of the environment (Production, Sandbox, or Developer) in which the user data is present. All the app owner has to do is change the API domain URL in the API requests.

In the current flow, the app owner can use a single access and refresh token for a user and make API calls to any environment. It is sufficient just to change the API domain URL in the API requests.

The New Flow
  1. The user clicks the Login with Zoho button on any third-party app.
  2. The app redirects the user to the Zoho Login page, and the user enters the Zoho credentials.
  3. A new pop-up, similar to the one below, appears to ask the user to choose the environment-specific org, such as Production, Sandbox, or Developer, whose data the app can access.
  4. The user selects one of the orgs from the available ones and clicks Submit.
  5. Zoho Accounts now takes the user to the consent page that displays the chosen org and the data (scope) that the app wants to access.
  6. When the user clicks Accept, Zoho Accounts redirects the user to the app with the authorization code in the URL.
  7. Using this grant token, the app owner generates access and refresh tokens to access user data specific to the environment.
In this flow, the user can choose to grant access to the application only to a particular org (either in the Production, Sandbox, or Developer instance of CRM). Therefore, the access and refresh token generated for a user becomes org-specific in an environment. For instance, the app cannot use tokens generated for an org in the Production environment to make API calls to the orgs in the sandbox or developer accounts.

Self Clients

The Current Flow
  1. Go to Zoho developer console.
  2. Choose your self client.
  3. Enter the scope, choose the time duration the authorization code is valid for, and enter a description.
  4. Click Create.


  5. The authorization code will be displayed.
  6. Use this code to generate access and refresh tokens.

Here, you can use the same access and refresh tokens to make API calls irrespective of the org or the environment. You must only change the API domain URL.

The New Flow
  1. Go to Zoho developer console.
  2. Choose your self client.
  3. Enter the scope, choose the time duration the authorization code is valid for, and enter a description.
  4. Click Create. A pop up displays the list of portals as shown below.
  5. Choose a portal. This displays the list of environments and different orgs under each environment.
  6. Select the org in an environment you want to generate the authorization code for.

  7. Click Generate. The authorization code will be displayed.

In this flow, the access and refresh tokens are specific to only the org and the environment they were generated for. You cannot use the org-specific tokens in an environment to make calls to another org in an environment.

Why are we making this change?
Increased security and restricted data access.
In this flow, the user can grant access to the app only to a particular org in an environment. Therefore, when the access token is breached, the data in the orgs under other environments are still safe.

Who should be concerned?
The application owners who use the same access and refresh tokens to make API calls to more than one environment, must ensure to use tokens specific to the org and the environment they were generated for.

This update will be opened to customers in phases from today (May 07, 2020).


Write to us at support@zohocrm.com if you have any questions.

Cheers!
Shylaja
Zoho CRM







    • Sticky Posts

    • Kaizen #217 - Actions APIs : Tasks

      Welcome to another week of Kaizen! In last week's post we discussed Email Notifications APIs which act as the link between your Workflow automations and you. We have discussed how Zylker Cloud Services uses Email Notifications API in their custom dashboard.

    • Kaizen #216 - Actions APIs : Email Notifications

      Welcome to another week of Kaizen! For the last three weeks, we have been discussing Zylker's workflows. We successfully updated a dormant workflow, built a new one from the ground up and more. But our work is not finished—these automated processes are

    • Kaizen #152 - Client Script Support for the new Canvas Record Forms

      Hello everyone! Have you ever wanted to trigger actions on click of a canvas button, icon, or text mandatory forms in Create/Edit and Clone Pages? Have you ever wanted to control how elements behave on the new Canvas Record Forms? This can be achieved

    • Kaizen #142: How to Navigate to Another Page in Zoho CRM using Client Script

      Hello everyone! Welcome back to another exciting Kaizen post. In this post, let us see how you can you navigate to different Pages using Client Script. In this Kaizen post, Need to Navigate to different Pages Client Script ZDKs related to navigation A.

    • Kaizen #210 - Answering your Questions | Event Management System using ZDK CLI

      Hello Everyone, Welcome back to yet another post in the Kaizen Series! As you already may know, for the Kaizen #200 milestone, we asked for your feedback and many of you suggested topics for us to discuss. We have been writing on these topics over the

    • Recent Topics

    • Can't receive any email from other platform

      Hello,everyone, i'm just join zoho and create two email accounts for my own business. I was using it to get a verified email from stripe, but can't receive it. and I use my private gmail account to send test email twice, first time show below reply, but

    • Your Incoming has been blocked and the emails will not be fetched in your Zoho account and POP Accounts

      Can some on help me regarding our account . thank you so much

    • Zoho Creator integration with Sage 50

      Hi, Wondering if anyone has had any experience connecting Zoho to Sage 50 and could share any information on this matter. Thank you.

    • Conditional Email Forwarding

      How can I set conditional email forwarding of the users? For example: Mail should be forwarded to a address only if it comes from a particular sender. So, I want such email forwarding, which forwards mails based on particular conditions, like the incoming

    • Incoming emails not appearing in Inbox

      Hello, I have an issue with incoming emails sent from my website (domain: h2ostop.si). Emails are visible in the Sent folder, which means they are successfully sent through Zoho SMTP, but they never appear in my Inbox. Nothing arrives in Inbox, Spam,

    • Automatic Matching from Bank Statements / Feeds

      Is it possible to have transactions from a feed or bank statement automatically match when certain criteria are met? My use case, which is pretty broadly applicable, is e-commerce transactions for merchant services accounts (clearing accounts). In these

    • Email Opt Out Question

      Has the problem where if a customer is emailed opt out prevents you sending standard emails? For me this feature is simply to stop any email marketing and should not block people from receiving emails via Zoho mobile, which makes no sense.

    • Can No Longer Access Zoho Email Accounts from iPhone or iPad Apple Mail Apps ,.

      Keeps asking for password, Says ID or password incorrect. Tried creating a new app specific password. Same result. Is this possibly related to the server maintenance. Have verified all email settings, userid and password. This has worked for years until

    • Latest update caused issue in using marathi typingzoho

      With latest update now marathi typing does Not work in zohonotebook. I preferred zoho over other because it was supporting marathi font without any distortion.. But after new update,keyborad simply does not work

    • Login verification emails never received.

      I can't login to my account. You send a verification email, but it never arrives. This is a common problem, frequently caused by some relay point out there classifying the sender as a spammer. Is there anything I can do to bypass this? Maybe get a text

    • Global lists for Multi select

      It would be great if I could select a global list to use for a multi select dropdown filed.

    • Yahoo is rejecting e-mails sent from a Zoho server

      Diagnostic-Code: 4.7.0 [TSS04] Messages from 136.143.169.51 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes Remote-MTA: dns; mta5.am0.yahoodns.net

    • Yahoo blocks e-mail sent from Zoho servers

      Getting this for a bunch of Yahoo addresses. Do you know if some of your servers got blacklisted? Diagnostic-Code: 4.7.0 [TSS04] Messages from 136.143.169.51 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes

    • Working with dates and Function Field

      Hello friends! I'm trying to add days to a date, however the field function will always shows 00:00:00 after the resultant date. How can I display only the date, whithout the time? toDate(input.request_date.addDay(input.Prazo_acordado),"MM,d,yyyy") The code above will result something like "11-Feb-2020 00:00:00", but I want to display only "11-Feb-2020"

    • What's New in Zoho Analytics - November 2025

      We're thrilled to announce a significant update focused on expanding your data connectivity, enhancing visualization capabilities, and delivering a more powerful, intuitive, and performant analytics experience. Here’s a look at what’s new. Explore What's

    • Unable to send message;Reason:550 5.4.6 Unusual sending activity detected. Please try after sometime.

      Please help my account got blocked automatically, can you help me how to avoid it? Thanks so much

    • temporary system errorlouis

      J'essaye d'envoyer des mails avec mes 2 adresses mail qe nous avons sur le compte arthur@lepunch.fr et louis@lepunch.fr mais j'ai toujours le message temporaire system error, je reçois les mails mais impossible d'en envoyer a qui que ce soit

    • How to Cancel/Delete Queued Mail Merge?

      Hi. I just tried to do a mail merge before realizing there's a limit on number of sends. I accidentally sent one of my lists twice, and all of those emails are currently queued. Is there any way to cancel or delete a queued mail merge? Would love to be

    • SOLVED: Stopping Multiple Invitations when sync with Google Calendar

      I wanted to share this solution as I wasn't able to find it when searching through the Zoho community and via web search. The issue: When requestor books a meeting through Zoho Bookings, the requestor receives a confirmation email from both Bookings and

    • Need to add a new admin for my domain

      Hello Zoho Support, I am the owner of the domain localeistanbul.com. The current super admin account (admin@localeistanbul.com) is not accessible. I do not want to reset or delete the existing account because I need to keep all existing emails. Please

    • Possible Fraud Site.

      Hello. I received a text with the sender's name as zoho, claiming that my account was at risk and that I should sign in at https://verify.zohomails.ru/signin to verify my account. I signed in on the web address above, and a few days later someone hacked

    • Zoho mail to Teaminbox

      Hello, We're searching for new mail program. Now I'm testing a bit with zoho mail and team inbox. My findings in the research: Pop mail throught zoho mail is almost instant. Any pop or imap via external provider takes a couple minutes to 15 minutes before

    • Crear tarea CRM con recordatorio desde Zoho Flow

      Hola, estoy intentando crear desde Zoho Flow una tarea en CRM. Lo he logrado hacer pero sin recordatorio, ya que no se como se debe escribir el string adecuado. He probado varias alternativas, pero ninguna me funcionó hasta ahora. - FREQ=NONE;ACTION=EMAIL;TRIGGER=DATE-TIME:${FechaVto}

    • Inquiry Regarding Automated Assignment of Zoho TeamInbox Messages using Zoho Flow and Deluge

      Hello, Our company is currently using Zoho TeamInbox, and we are interested in automating the assignment of responsible parties using tools such as ZOHO Flow and Deluge. Is it possible to achieve this? Allow me to provide more details. Currently, when

    • Multiple clients in one project

      Hi team, What is the possibility to have more than one client to be linked for one project in the Zoho Books? Our business model is to have a project, and this project have expenses/bills, as well, we issue invoices for this same project to several customers.

    • Upgrade Zoho Desk Agent-Side Answer Bot to GenAI

      Hello Zoho Desk Team, We hope you're doing well. Following the recent announcements and rollout of the GenAI-based Answer Bot in Zoho SalesIQ (Nova '25), we’d like to formally request a similar upgrade for the Answer Bot used by agents inside Zoho Desk.

    • Marketers' Space: The importance of warming up your sender domain

      Hello Marketers, Welcome back to yet another post! Today, we'll talk about why warming up your sender domain matters. Imagine you've recently started a business and want to share the news with your customers. You've designed a great email campaign using

    • An Exclusive Session for Zoho Desk Users: AI in Zoho Desk

      A Zoho Community Learning Initiative Hello everyone! This is an announcement for Zoho Desk users and anyone exploring Zoho Desk. With every nook and corner buzzing, "AI's here, AI's there," it's the right time for us to take a closer look at how the AI

    • Search Just Got Smarter in Notebook

      Hello there! Introducing Our New & Improved Search Experience! We heard your feedback! Many of you shared that our previous search had some challenges like • Inconsistent results across different clients • Limited accuracy in finding the right content

    • Zoho Desk app update - AI Integration for IM Chats

      Hello everyone! We have now introduced AI integration for IM Chats within the Zoho Desk mobile app. To access the feature, please enable the 'Generative AI' settings on the desktop site(desk.zoho.com). Please refer to the help link attached below: Zoho

    • Open A.I assistant Connect with Zoho Desk instant Message Conversations

      I would like to know how do I connect my instant messenger in Zoho desk with my Open A.I Gpt Assistant. this is very easy to setup using the Salesiq Zobot but when it comes to Zoho Desk i cannot figure how to make the connection. Ideal workflow Customers

    • Cannot upgrade subscription plan due to payment error message

      Hi Zoho team, This is to request support on an issue I am facing during an upgrade I am trying to make to our company's yearly Zoho subscription. I am trying to add 3 more license to my plan and during the payment phase I get the below error as in the

    • Enhancing Zia's service with better contextual responses and article generation

      Hello everyone, We are enhancing Zia's Generative AI service to make your support experience smarter. Here's how: Increased accuracy with Qwen One of the key challenges in AI is delivering responses that are both contextually accurate and empathetic while

    • Zoho Desk app update: AI powered features

      Hello everyone! We’ve introduced various AI-powered services on the Zoho Desk app. Let's take a look at what's new. Generate Content: Generate Content uses AI to formulate responses based on the your query and provides a ready-to-use reply which can be

    • Bulk update Archived Ticket

      Dear All We would like to update the "Category" values to the new filed. We found the archived Ticket seems to be don't support the bulk action. Do we have any way to update it. Finally, we would to generate a report for our ticket system. Regards I

    • Channel Configuration and Default Channels

      There are some of the default fields that cannot be removed or changed. Examples are the social media ones, such as Facebook. It would be nice to be able to remove these fields as it would be confusing if someone selected this but it's not configure

    • Delay function execute

      I've got a workflow which uses a webhook to send information to Flow, which in return updates a record in Creator. Problem is, by the time this has executed, the rest of my script has run and can't find the (yet to be) updated info in the record. Is there

    • Support www.camcard.com

      Hi, Is it possible CRM Zoho have integrations with https://camcard.com/? Thanks Br, Andy

    • Option to Customize Career Site URL Without “/jobs/Careers”

      Dear Zoho Recruit Team, I hope you are doing well. We would like to request an enhancement to the Career Site URL structure in Zoho Recruit. In the old version of the career site, our URL was simply: 👉 https://jobs.domain.com However, after moving to

    • Can't make a document editable to anyone

      Hey everyone, I am using Zoho Workdrive and trying to share a document so that it is editable by anyone with the link. I am trying to convince people to shift from Google to Zoho, but they don't have accounts yet. When I try to change the share settings

    • Next Page